commit 7078e8b67a54629aa5b3b427bece3ade3760ff0d
author Daniel Micay <danielmicay@gmail.com> Mon Aug 08 13:48:01 2016 -0400
committer Daniel Micay <danielmicay@gmail.com> Mon Aug 08 13:48:01 2016 -0400
tree ab81e82c5e4b10312d06a58f11386ed1462258e7
parent 9cc3a580c55f2114a816a151d0df5134dce7fa8e

fine-grained policy for access to /proc/zoneinfo

Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f

dumpstate.te

diff --git a/dumpstate.te b/dumpstate.te
index 08dcb4d..4bb12c3 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -144,3 +144,4 @@
 allow dumpstate atrace_exec:file rx_file_perms;
 
 allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;

file.te

diff --git a/file.te b/file.te
index 628c237..02112ef 100644
--- a/file.te
+++ b/file.te
@@ -22,6 +22,7 @@
 type proc_timer, fs_type;
 type proc_uid_cputime_showstat, fs_type;
 type proc_uid_cputime_removeuid, fs_type;
+type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;

genfs_contexts

diff --git a/genfs_contexts b/genfs_contexts
index 57b967c..bb2fea9 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -31,6 +31,7 @@
 genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0

lmkd.te

diff --git a/lmkd.te b/lmkd.te
index 863fe07..ee731c5 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -32,6 +32,8 @@
 # Set self to SCHED_FIFO
 allow lmkd self:capability sys_nice;
 
+allow lmkd proc_zoneinfo:file r_file_perms;
+
 ### neverallow rules
 
 # never honor LD_PRELOAD

shell.te

diff --git a/shell.te b/shell.te
index afa4c91..b7b4e03 100644
--- a/shell.te
+++ b/shell.te
@@ -93,6 +93,7 @@
 allow shell proc_meminfo:file r_file_perms;
 allow shell proc_stat:file r_file_perms;
 allow shell proc_timer:file r_file_perms;
+allow shell proc_zoneinfo:file r_file_perms;
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };