Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4cacfc3bdf4525f76d5b5c6ab7cd45f5f70b930e^1..4cacfc3bdf4525f76d5b5c6ab7cd45f5f70b930e / .
commit4cacfc3bdf4525f76d5b5c6ab7cd45f5f70b930e[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Tue Sep 10 00:29:37 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Sep 10 00:29:37 2019 +0000
tree356bcb35f99590523a59960fde830a4050e515af
parentaa31e64e83447ac8945ba906fb53c65da8d422f6 [diff]
parent003e858205e28d02bfb47c107dbc0689674eb810 [diff]
Merge "domain.te: remove /proc/sys/vm/overcommit_memory read access"
diff --git a/public/domain.te b/public/domain.te
index 29e007d..ddffd12 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -237,9 +237,6 @@
 # /dev/cpu_variant:.*
 allow domain dev_cpu_variant:file r_file_perms;
 
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
 # profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
 allow domain proc_perf:file r_file_perms;
 

diff --git a/public/init.te b/public/init.te
index 35fab33..2231a9b 100644
--- a/public/init.te
+++ b/public/init.te

@@ -340,7 +340,7 @@
   proc_net_type
   proc_max_map_count
   proc_min_free_order_shift
-  proc_overcommit_memory
+  proc_overcommit_memory      # /proc/sys/vm/overcommit_memory
   proc_panic
   proc_page_cluster
   proc_perf
@@ -535,9 +535,6 @@
   FS_IOC_SET_ENCRYPTION_POLICY
 };
 
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
 # Raw writes to misc block device
 allow init misc_block_device:blk_file w_file_perms;