Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 419f7a7caccf12285936b493cfb05bf93ca22172^! / . / private
commit419f7a7caccf12285936b493cfb05bf93ca22172[log] [tgz]
authorAlessio Balsini <balsini@google.com>Wed Dec 11 13:43:58 2024 +0000
committerAlessio Balsini <balsini@google.com>Fri Dec 27 16:28:45 2024 +0000
tree74975e45ef14089e27139726ce12c64555ec3d4e
parent2a286109df73c7e434d9a21be89d69a505a7ca1a [diff]
Give init and dumpstate access to /proc/allocinfo

/proc/allocinfo is a file that presents a snapshot of how much memory
and how many memory allocations are triggered, by kernel location.
This is an important debugging information that should be collected as
part of bugreports.

This change gives access to the file to init, so that it can change
permissions to access the file, and dumpstate, so that it can read the
file contents.

Bug: 384777823
Test: adb shell dumpstate
Change-Id: I5b0401c44b5994416bc9217e4adbd3a781eb6b2c
Signed-off-by: Alessio Balsini <balsini@google.com>

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0e2b01c..434fb13 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -204,6 +204,7 @@
 # Create a more specific label if needed
 neverallow all_untrusted_apps {
   proc
+  proc_allocinfo
   proc_asound
   proc_kmsg
   proc_loadavg

diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5e3bce5..f9d56ee 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -394,6 +394,7 @@
 
 # Read files in /proc
 allow dumpstate {
+  proc_allocinfo
   proc_bootconfig
   proc_buddyinfo
   proc_cmdline

diff --git a/private/file.te b/private/file.te
index 189fb47..856af1d 100644
--- a/private/file.te
+++ b/private/file.te

@@ -1,3 +1,6 @@
+# /proc/allocinfo
+type proc_allocinfo, fs_type, proc_type;
+
 # /proc/config.gz
 type config_gz, fs_type, proc_type;
 

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3ff1012..62d6c1a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -2,6 +2,7 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /allocinfo u:object_r:proc_allocinfo:s0
 genfscon proc /asound u:object_r:proc_asound:s0
 genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0

diff --git a/private/init.te b/private/init.te
index 23c464c..35d7647 100644
--- a/private/init.te
+++ b/private/init.te

@@ -539,6 +539,7 @@
 
 allow init {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+  proc_allocinfo
   proc_bootconfig
   proc_cmdline
   proc_diskstats
@@ -574,6 +575,7 @@
 
 # init chmod/chown access to /proc files.
 allow init {
+  proc_allocinfo
   proc_cmdline
   proc_bootconfig
   proc_kmsg