commit 6faa3a1a54544e5c993836afefcc98ca7c65cdfd
author Tri Vo <trong@google.com> Fri Nov 17 20:51:14 2017 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Nov 17 20:51:14 2017 +0000
tree 567bd99a03672cfcf9b00da723b30b1b2a9d6f11
parent cd753d11ec7cb9d66f98b9db517c05b1487965f5
parent c4ef36300629f2a7f72fc7d7177af464a164ad09

Merge "shell: neverallow access to 'proc' label."

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 66fb640..ec34213 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -27,7 +27,6 @@
     -dumpstate
     -platform_app
     -priv_app
-    -shell
     -system_app
     -vold
     -vendor_init

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 3ef1486..cac84d4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -107,16 +107,21 @@
 allow shell hwservicemanager:hwservice_manager list;
 
 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc)
 r_dir_file(shell, proc_net)
-allow shell proc_filesystems:file r_file_perms;
-allow shell proc_interrupts:file r_file_perms;
-allow shell proc_meminfo:file r_file_perms;
-allow shell proc_modules:file r_file_perms;
-allow shell proc_stat:file r_file_perms;
-allow shell proc_timer:file r_file_perms;
-allow shell proc_version:file r_file_perms;
-allow shell proc_zoneinfo:file r_file_perms;
+
+allow shell {
+  proc_asound
+  proc_filesystems
+  proc_interrupts
+  proc_meminfo
+  proc_modules
+  proc_stat
+  proc_timer
+  proc_uptime
+  proc_version
+  proc_zoneinfo
+}:file r_file_perms;
+
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };