Merge "Settings: Add option to disable logging"
diff --git a/bootanim.te b/bootanim.te
index 159fd9e..550c6dc 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -28,9 +28,7 @@
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, sysfs_devices_system_cpu)
r_dir_file(bootanim, cgroup)
-allow bootanim proc_cpuinfo:file r_file_perms;
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index 15594ef..79fb9c6 100644
--- a/domain.te
+++ b/domain.te
@@ -109,6 +109,9 @@
# required by the dynamic linker
allow domain proc:lnk_file read;
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
# toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:file getattr;
allow domain sysfs:dir search;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index cd1a08c..7be9a3e 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -66,7 +66,6 @@
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
r_dir_file(domain_deprecated, proc_net)
-allow domain_deprecated proc_cpuinfo:file r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/shell.te b/shell.te
index 9622905..1ae7169 100644
--- a/shell.te
+++ b/shell.te
@@ -96,6 +96,13 @@
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;