Remove proc and sysfs access from system_app and platform_app.
Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 78e7b74..a587b4d 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -476,7 +476,8 @@
proc_uid_concurrent_policy_time
proc_uptime
proc_version
- proc_vmallocinfo))
+ proc_vmallocinfo
+ proc_vmstat))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/domain.te b/private/domain.te
index 6fef279..f66185d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,9 +25,7 @@
neverallow {
coredomain
-dumpstate
- -platform_app
-priv_app
- -system_app
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -38,7 +36,6 @@
-dumpstate
-init
-priv_app
- -system_app
-ueventd
-vold
-vendor_init
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6be0ff3..1fddb6e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
diff --git a/private/platform_app.te b/private/platform_app.te
index 2596a8e..67a9c33 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,7 +41,9 @@
allow platform_app rootfs:dir getattr;
# com.android.captiveportallogin reads /proc/vmstat
-allow platform_app proc:file r_file_perms;
+allow platform_app {
+ proc_vmstat
+}:file r_file_perms;
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index c61bdd9..cd697a1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -102,12 +102,8 @@
user_changed
};
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-# settings app reads /proc/version and /proc/pagetypeinfo
+# settings app reads /proc/version
allow system_app {
- proc
proc_version
}:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 56b6c2f..d668746 100644
--- a/public/file.te
+++ b/public/file.te
@@ -57,6 +57,7 @@
type proc_uptime, fs_type;
type proc_version, fs_type;
type proc_vmallocinfo, fs_type;
+type proc_vmstat, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;