commit 218d87c01c6a415029d89f2bffa44a8a2e2a901d
author Tri Vo <trong@google.com> Wed Jan 17 15:59:48 2018 -0800
committer Tri Vo <trong@google.com> Tue Jan 23 03:24:37 2018 +0000
tree 8c23f8815b19ef21680197db52987866b0e6906b
parent e58fa548038f563158ea4352d3942f487a9bbff2

dumpstate: remove access to 'proc' and 'sysfs' types.

And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5

private/compat/26.0/26.0.cil

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a587b4d..d44fd7a 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -452,6 +452,7 @@
   ( proc
     proc_abi
     proc_asound
+    proc_buddyinfo
     proc_cmdline
     proc_dirty
     proc_diskstats

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 8a41097..dae40d2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -24,7 +24,6 @@
   # /proc
   neverallow {
     coredomain
-    -dumpstate
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;
@@ -32,7 +31,6 @@
   # /sys
   neverallow {
     coredomain
-    -dumpstate
     -init
     -ueventd
     -vold

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1fddb6e..2ff1b4d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /diskstats u:object_r:proc_diskstats:s0