From f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 22 Dec 2015 16:41:27 -0800
Subject: [PATCH] undeprecate /proc/cpuinfo, more shell permissions

Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba83fb47297c8908016397c8f17840c4. Restore access to everyone.

Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.

Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.

Commit 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.

Addresses the following denials:

  avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
  avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
  avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
  avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
---
 bootanim.te          | 2 --
 domain.te            | 3 +++
 domain_deprecated.te | 1 -
 shell.te             | 7 +++++++
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/bootanim.te b/bootanim.te
index 159fd9ea4..550c6dc2a 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -28,9 +28,7 @@ allow bootanim ion_device:chr_file rw_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(bootanim, proc)
 r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, sysfs_devices_system_cpu)
 r_dir_file(bootanim, cgroup)
-allow bootanim proc_cpuinfo:file r_file_perms;
 
 # System file accesses.
 allow bootanim system_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index 15594ef6a..79fb9c6be 100644
--- a/domain.te
+++ b/domain.te
@@ -109,6 +109,9 @@ allow domain system_data_file:lnk_file read;
 # required by the dynamic linker
 allow domain proc:lnk_file read;
 
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
 # toybox loads libselinux which stats /sys/fs/selinux/
 allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index cd1a08c3b..7be9a3e8c 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -66,7 +66,6 @@ r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
-allow domain_deprecated proc_cpuinfo:file r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/shell.te b/shell.te
index 9622905b4..1ae7169e5 100644
--- a/shell.te
+++ b/shell.te
@@ -96,6 +96,13 @@ r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;
 
-- 
GitLab