strengthen proc_type neverallows These were unnecessarily lax. Some additional places additionally exclude only the generic proc type, but we don't care about those places. Bug: 281877578 Test: boot Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0

commit: 8634a8859553cf42be4815bccf5c5f0322602efe [log] [tgz]
author: Steven Moreland <smoreland@google.com> Mon May 22 22:59:08 2023 +0000
committer: Steven Moreland <smoreland@google.com> Mon May 22 22:59:08 2023 +0000
tree: 2b0e89d11bbdaea7b17f32847bc0e9ccbe8bdaf3
parent: c3fd0b60d8a75d2f90354efeff0fdc49608fd5cb [diff]
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 1e8529b..c940eca 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te

@@ -410,7 +410,7 @@
 # Feature parity with Chromium LSM.
 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
 
-neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init } proc_type:{ file dir } mounton;
 
 # Ensure that all types assigned to processes are included
 # in the domain attribute, so that all allow and neverallow rules

diff --git a/public/domain.te b/public/domain.te
index 56c3142..4336770 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1053,6 +1053,7 @@
 neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
+neverallow { domain -init -zygote } proc_type:{ file dir } mounton;
 
 # Ensure that all types assigned to processes are included
 # in the domain attribute, so that all allow and neverallow rules
commit	8634a8859553cf42be4815bccf5c5f0322602efe	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Mon May 22 22:59:08 2023 +0000
committer	Steven Moreland <smoreland@google.com>	Mon May 22 22:59:08 2023 +0000
tree	2b0e89d11bbdaea7b17f32847bc0e9ccbe8bdaf3
parent	c3fd0b60d8a75d2f90354efeff0fdc49608fd5cb [diff]