commit 96cc32b0eb51cd2f6efa50927a15ecca117a2247
author Suren Baghdasaryan <surenb@google.com> Thu Mar 14 01:42:21 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Mar 14 01:42:21 2019 +0000
tree 2d82d4ade37cc1751e28764b1391e418548ac71f
parent d6c5ff5f726a9e8fc2ebb64ecbd547245312cf5e
parent f4b7e01c1fc025b9e55ce4c94474a3f03cd45318

Merge "sepolicy: Remove unnecessary psi procfs rules"

private/compat/28.0/28.0.cil

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 77c215c..ac3ab2a 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1543,7 +1543,8 @@
   ( sysfs
     sysfs_devices_block
     sysfs_extcon
-    sysfs_loop))
+    sysfs_loop
+    sysfs_transparent_hugepage))
 (typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
 (typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 070559f..20ec084 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -133,6 +133,7 @@
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
 genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
 genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0

private/isolated_app.te

diff --git a/private/isolated_app.te b/private/isolated_app.te
index b7c812b..94b49b0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -127,6 +127,7 @@
 neverallow isolated_app {
   sysfs_type
   -sysfs_devices_system_cpu
+  -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
 }:file no_rw_file_perms;
 

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 31d8976..e285a2e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -205,6 +205,11 @@
 
 r_dir_file(domain, sysfs_usb);
 
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
 # files under /data.
 not_full_treble(`
   allow domain system_data_file:dir getattr;
@@ -614,14 +619,6 @@
   -update_engine
 } system_block_device:blk_file { write append };
 
-# No domains other than install_recovery, recovery or fastbootd can write to recovery.
-neverallow {
-  domain
-  -fastbootd
-  -install_recovery
-  -recovery
-} recovery_block_device:blk_file { write append };
-
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using

public/file.te

diff --git a/public/file.te b/public/file.te
index a2d1967..d7c4cab 100644
--- a/public/file.te
+++ b/public/file.te
@@ -92,6 +92,7 @@
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
 type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
 type sysfs_usb, fs_type, sysfs_type;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;