Label /proc/config.gz Add a label to /proc/config.gz, so we can distinguish this file from other /proc files in security policy. For now, only init is allowed read access. All others are denied. TODO: clarify exactly who needs access. Further access will be granted in a future commit. Bug: 35126415 Test: policy compiles and no device boot problems. Change-Id: I8b480890495ce5b8aa3f8c7eb00e14159f177860

commit: 929da014e6f2c4e97638f28c1b3bb6490122ea53 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Feb 16 12:04:40 2017 -0800
committer: Nick Kralevich <nnk@google.com> Thu Feb 16 12:07:01 2017 -0800
tree: 53471978162d48fe57b12ba0dbeb58c32cde2687
parent: d419ed8fb7ad8ef7fa02d9841f1a52115285904b [diff] [blame]
diff --git a/private/file.te b/private/file.te
index 818a53d..da5f9ad 100644
--- a/private/file.te
+++ b/private/file.te

@@ -2,3 +2,6 @@
 typealias audio_data_file alias audio_firmware_file;
 typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
commit	929da014e6f2c4e97638f28c1b3bb6490122ea53	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Feb 16 12:04:40 2017 -0800
committer	Nick Kralevich <nnk@google.com>	Thu Feb 16 12:07:01 2017 -0800
tree	53471978162d48fe57b12ba0dbeb58c32cde2687
parent	d419ed8fb7ad8ef7fa02d9841f1a52115285904b [diff] [blame]