Merge "Give init and dumpstate access to /proc/allocinfo" into main
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0e2b01c..434fb13 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -204,6 +204,7 @@
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
+ proc_allocinfo
proc_asound
proc_kmsg
proc_loadavg
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 1020088..a1c9ed3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -394,6 +394,7 @@
# Read files in /proc
allow dumpstate {
+ proc_allocinfo
proc_bootconfig
proc_buddyinfo
proc_cmdline
diff --git a/private/file.te b/private/file.te
index 189fb47..856af1d 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,3 +1,6 @@
+# /proc/allocinfo
+type proc_allocinfo, fs_type, proc_type;
+
# /proc/config.gz
type config_gz, fs_type, proc_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ff1012..62d6c1a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /allocinfo u:object_r:proc_allocinfo:s0
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
diff --git a/private/init.te b/private/init.te
index 23c464c..35d7647 100644
--- a/private/init.te
+++ b/private/init.te
@@ -539,6 +539,7 @@
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_allocinfo
proc_bootconfig
proc_cmdline
proc_diskstats
@@ -574,6 +575,7 @@
# init chmod/chown access to /proc files.
allow init {
+ proc_allocinfo
proc_cmdline
proc_bootconfig
proc_kmsg
