domain.te: remove /proc/sys/vm/overcommit_memory read access
Remove everyone's ability to read /proc/sys/vm/overcommit_memory.
Android's jemalloc implementation no longer uses this file.
init.te had multiple rules which allowed writing to this file. Get rid of
the duplicate rule.
Bug: 140736217
Test: compiles and boots
Test: bypass setup wizard and start the browser, browse the web
Change-Id: I5a2d5f450f5dde5dd55a0cedd7fbd55a6ac0beed
diff --git a/public/domain.te b/public/domain.te
index 29e007d..ddffd12 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -237,9 +237,6 @@
# /dev/cpu_variant:.*
allow domain dev_cpu_variant:file r_file_perms;
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file r_file_perms;
diff --git a/public/init.te b/public/init.te
index 35fab33..2231a9b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -340,7 +340,7 @@
proc_net_type
proc_max_map_count
proc_min_free_order_shift
- proc_overcommit_memory
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
proc_panic
proc_page_cluster
proc_perf
@@ -535,9 +535,6 @@
FS_IOC_SET_ENCRYPTION_POLICY
};
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;