Merge "priv_app: remove access to 'proc' and 'sysfs' types."
diff --git a/private/domain.te b/private/domain.te
index f66185d..8a41097 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
neverallow {
coredomain
-dumpstate
- -priv_app
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -35,7 +34,6 @@
coredomain
-dumpstate
-init
- -priv_app
-ueventd
-vold
-vendor_init
diff --git a/private/priv_app.te b/private/priv_app.te
index e3eec83..dcf7572 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -77,9 +77,17 @@
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
r_dir_file(priv_app, rootfs)
# Allow GMS core to open kernel config for OTA matching through libvintf
@@ -129,6 +137,7 @@
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
+dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
dontaudit priv_app proc_version:file read;