init: label /proc dependencies and remove access to proc
New types and files labeled with them:
1. proc_abi:
/proc/sys/abi/swp
2. proc_dirty:
/proc/sys/vm/dirty_background_ratio
/proc/sys/vm/dirty_expire_centisecs
3. proc_diskstats:
/proc/diskstats
4. proc_extra_free_kbytes:
/proc/sys/vm/extra_free_kbytes
5. proc_hostname:
/proc/sys/kernel/domainname
/proc/sys/kernel/hostname
6. proc_hung_task:
/proc/sys/kernel/hung_task_timeout_secs
7. proc_max_map_count:
/proc/sys/vm/max_map_count
8. proc_panic:
/proc/sys/kernel/panic_on_oops
9. proc_sched:
/proc/sys/kernel/sched_child_runs_first
/proc/sys/kernel/sched_latency_ns
/proc/sys/kernel/sched_rt_period_us
/proc/sys/kernel/sched_rt_runtime_us
/proc/sys/kernel/sched_tunable_scaling
/proc/sys/kernel/sched_wakeup_granularity_ns
10. proc_uptime:
/proc/uptime
Files labeled with already existing types:
1. proc_perf:
/proc/sys/kernel/perf_event_paranoid
2. proc_sysrq:
/proc/sys/kernel/sysrq
3. usermodehelper:
/proc/sys/kernel/core_pipe_limit
Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.
Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2
5 files changed