init: label /proc dependencies and remove access to proc
New types and files labeled with them:
1. proc_abi:
/proc/sys/abi/swp
2. proc_dirty:
/proc/sys/vm/dirty_background_ratio
/proc/sys/vm/dirty_expire_centisecs
3. proc_diskstats:
/proc/diskstats
4. proc_extra_free_kbytes:
/proc/sys/vm/extra_free_kbytes
5. proc_hostname:
/proc/sys/kernel/domainname
/proc/sys/kernel/hostname
6. proc_hung_task:
/proc/sys/kernel/hung_task_timeout_secs
7. proc_max_map_count:
/proc/sys/vm/max_map_count
8. proc_panic:
/proc/sys/kernel/panic_on_oops
9. proc_sched:
/proc/sys/kernel/sched_child_runs_first
/proc/sys/kernel/sched_latency_ns
/proc/sys/kernel/sched_rt_period_us
/proc/sys/kernel/sched_rt_runtime_us
/proc/sys/kernel/sched_tunable_scaling
/proc/sys/kernel/sched_wakeup_granularity_ns
10. proc_uptime:
/proc/uptime
Files labeled with already existing types:
1. proc_perf:
/proc/sys/kernel/perf_event_paranoid
2. proc_sysrq:
/proc/sys/kernel/sysrq
3. usermodehelper:
/proc/sys/kernel/core_pipe_limit
Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.
Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 00b68d2..a1e6b5f 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -450,18 +450,28 @@
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
(typeattributeset proc_26_0
( proc
+ proc_abi
proc_asound
proc_cmdline
+ proc_dirty
+ proc_diskstats
+ proc_extra_free_kbytes
proc_filesystems
+ proc_hostname
+ proc_hung_task
proc_kmsg
proc_loadavg
+ proc_max_map_count
proc_mounts
proc_overflowuid
proc_page_cluster
proc_pagetypeinfo
+ proc_panic
proc_random
+ proc_sched
proc_swaps
proc_uid_time_in_state
+ proc_uptime
proc_version
proc_vmallocinfo))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
diff --git a/private/domain.te b/private/domain.te
index 6be5082..9515074 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
neverallow {
coredomain
-dumpstate
- -init
-platform_app
-priv_app
-shell
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ee17d49..9c08934 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -5,6 +5,7 @@
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
@@ -22,22 +23,40 @@
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
@@ -52,6 +71,7 @@
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0