commit 64a0503831f3f6c44e350a112f5e36a4569f3e1a
author Luis Hector Chavez <lhchavez@google.com> Thu Feb 23 14:40:56 2017 -0800
committer Luis Hector Chavez <lhchavez@google.com> Thu Feb 23 15:22:06 2017 -0800
tree febf25acdbba70df484b8f762ee1bb5da43de0dd
parent 38dc1e2230b4a244003b69694674362f5df1ddc7

Restrict /proc/sys/vm/mmap_rnd_bits

Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by
init. This also tightens the neverallow restrictions for proc_security.

Bug: 33563834
Test: run cts -m CtsPermissionTestCases -t \
      android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane

Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 0c50675..d1e1b91 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -26,6 +26,8 @@
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
 genfscon proc /timer_list u:object_r:proc_timer:s0

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index e2c71da..10e62b8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -251,7 +251,7 @@
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };
 
 # No domain should be allowed to ptrace init.
 neverallow * init:process ptrace;