Fix pid_max denials from dumpstate, incidentd
The dumpstate and incidentd contexts may call on to toybox tools like
"ps" and "top" which are now reading /proc/sys/kernel/pid_max.
Fixes denials like:
avc: denied { read } for comm="top" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0
avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0
avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0
Bug: 171070708
Bug: 172703374
Bug: 174618269
Change-Id: Ief5662c6d484e966bd1ba7134eddfabb3f7ad0e4
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 65a9cc3..13c2c5e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -51,7 +51,12 @@
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate update_engine:binder call;
-allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# Read files in /proc
+allow dumpstate {
+ proc_net_tcp_udp
+ proc_pid_max
+}:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
diff --git a/private/incidentd.te b/private/incidentd.te
index f10173b..0731dec 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -67,6 +67,7 @@
# Read files in /proc
allow incidentd {
proc_cmdline
+ proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;