commit a3e8572875540be87105befe635af238ca188ab1
author Tri Vo <trong@google.com> Sat Jan 20 05:01:25 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Sat Jan 20 05:01:25 2018 +0000
tree b73ad5d7a037a3ece3d93f8878331895a6be3247
parent 4f6eb37f6c0cc06acd3c0691b2f5b650504f1d75
parent f92cfb9e4f5fe5a967bca4f710a4723e67e8123c

Merge "priv_app: remove access to 'proc' and 'sysfs' types."

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index f66185d..8a41097 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
   neverallow {
     coredomain
     -dumpstate
-    -priv_app
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;
@@ -35,7 +34,6 @@
     coredomain
     -dumpstate
     -init
-    -priv_app
     -ueventd
     -vold
     -vendor_init

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index e3eec83..dcf7572 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -77,9 +77,17 @@
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
 
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+  proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
 r_dir_file(priv_app, rootfs)
 
 # Allow GMS core to open kernel config for OTA matching through libvintf
@@ -129,6 +137,7 @@
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
+dontaudit priv_app proc:file read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
 dontaudit priv_app proc_version:file read;