domain_deprecated: remove proc access
Remove "granted" logspam. Grante the observed permissions to the
individual processes that need them and remove the permission from
domain_deprecated.
avc: granted { read open } for comm="ndroid.settings"
path="/proc/version" dev="proc" ino=4026532081
scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { getattr } for comm=4173796E635461736B202332
path="/proc/pagetypeinfo" dev="proc" ino=4026532129
scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="uncrypt" path="/proc/cmdline"
dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="update_engine"
path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829
scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="tiveportallogin"
path="/proc/vmstat" dev="proc" ino=4026532130
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0
tclass=file
This change is specifically not granting the following since it
should not be allowed:
avc: granted { read open } for comm="crash_dump64"
path="/proc/filesystems" dev="proc" ino=4026532416
scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for comm="crash_dump64" name="filesystems"
dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { getattr } for comm="crash_dump64"
path="/proc/filesystems" dev="proc" ino=4026532416
scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 64032843
Bug: 28760354
Test: build
Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index ccb7e85..a440bfe 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -1,28 +1,11 @@
# rules removed from the domain attribute
# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
userdebug_or_eng(`
auditallow {
domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
-fingerprintd
-healthd
-netd
diff --git a/private/platform_app.te b/private/platform_app.te
index 047cca4..a8bb1c2 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,6 +41,9 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app proc:file r_file_perms;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 80afcb9..803ee44 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,5 +84,8 @@
# /sys access
r_dir_file(system_app, sysfs_type)
+# settings app reads /proc/version and /proc/pagetypeinfo
+allow system_app proc:file r_file_perms;
+
control_logd(system_app)
read_runtime_log_tags(system_app)