/proc, /sys access from uncrypt, update_engine, postinstall_dexopt
New types:
1. proc_random
2. sysfs_dt_firmware_android
Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.
Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.
Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 2a32f14..86282d5 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,20 @@
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
(typeattributeset print_service_26_0 (print_service))
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0
+ ( proc
+ proc_asound
+ proc_cmdline
+ proc_filesystems
+ proc_kmsg
+ proc_loadavg
+ proc_mounts
+ proc_pagetypeinfo
+ proc_random
+ proc_swaps
+ proc_uid_time_in_state
+ proc_version
+ proc_vmallocinfo))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
@@ -568,6 +581,7 @@
( sysfs
sysfs_android_usb
sysfs_dm
+ sysfs_dt_firmware_android
sysfs_ipv4
sysfs_net
sysfs_power
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 7bf252d..124da42 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -33,6 +33,7 @@
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
@@ -73,6 +74,7 @@
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0