Allow callers of uevent_kernel_*() access to /proc/sys/kernel/overflowuid
Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
with EIO.
Test: bullhead networking still works
Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ebb66e..1ebab61 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -455,6 +455,7 @@
proc_kmsg
proc_loadavg
proc_mounts
+ proc_overflowuid
proc_page_cluster
proc_pagetypeinfo
proc_random
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a6de59a..ee17d49 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -31,6 +31,7 @@
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
diff --git a/public/file.te b/public/file.te
index 9057c19..37ebde4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -26,6 +26,7 @@
type proc_modules, fs_type;
type proc_mounts, fs_type;
type proc_net, fs_type;
+type proc_overflowuid, fs_type;
type proc_page_cluster, fs_type;
type proc_pagetypeinfo, fs_type;
type proc_perf, fs_type;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd516..e2e3449 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -15,4 +15,5 @@
allow hal_usb sysfs:file open;
allow hal_usb sysfs:file write;
allow hal_usb sysfs:file getattr;
+allow hal_usb proc_overflowuid:file r_file_perms;
diff --git a/public/healthd.te b/public/healthd.te
index c0a7bec..e7c92c4 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -55,6 +55,7 @@
allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
+allow healthd proc_overflowuid:file r_file_perms;
add_service(healthd, batteryproperties_service)
diff --git a/public/init.te b/public/init.te
index 2d55aba..bc10a82 100644
--- a/public/init.te
+++ b/public/init.te
@@ -280,6 +280,9 @@
# Write to /proc/sys/vm/page-cluster
allow init proc_page_cluster:file w_file_perms;
+# Read /proc/sys/kernel/overflowuid
+allow init proc_overflowuid:file r_file_perms;
+
# Reboot.
allow init self:capability sys_boot;
diff --git a/public/netd.te b/public/netd.te
index a1917b3..17f60b5 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -37,6 +37,9 @@
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
+# Access for /proc/sys/kernel/overflowuid.
+allow netd proc_overflowuid:file r_file_perms;
+
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir r_dir_perms;
r_dir_file(netd, sysfs_net)
diff --git a/public/ueventd.te b/public/ueventd.te
index 212087e..7e1f3fd 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -36,6 +36,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Access for /proc/sys/kernel/overflowuid.
+allow ueventd proc_overflowuid:file r_file_perms;
+
#####
##### neverallow rules
#####
diff --git a/public/vold.te b/public/vold.te
index 2c2f147..148f4b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -24,6 +24,7 @@
proc_filesystems
proc_meminfo
proc_mounts
+ proc_overflowuid
}:file r_file_perms;
#Get file contexts