commit c18121811c59335b4b59e8ffc52179ad6049640b
author Stephen Smalley <sds@tycho.nsa.gov> Thu Mar 06 13:27:01 2014 -0500
committer Stephen Smalley <sds@tycho.nsa.gov> Thu Mar 06 14:33:54 2014 -0500
tree a1e705d12f786bcc7e65f5d514e8af376f3933ff
parent d9d9d2f4170b96a674c8222287bbe4cddfc8de3a

Deduplicate and rationalize system_server /proc/pid access.

The system_server has duplicate/overlapping rules regarding
/proc/pid access as well as a lack of clarity on the reason
for the different rules.  Deduplicate the rules and clarify
the purpose of different sets of rules.

Replace the rules granting /proc/pid access for all domains with
specific rules only for domains that we know should be accessible
by the system_server, i.e. all apps (appdomain) and the set of
native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST.

Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_server.te

diff --git a/system_server.te b/system_server.te
index 9b7b85a..b59f5a3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -74,9 +74,11 @@
 allow system_server appdomain:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
 
-# Read /proc data for apps.
-allow system_server appdomain:dir r_dir_perms;
-allow system_server appdomain:{ file lnk_file } rw_file_perms;
+# Read /proc/pid data for apps.
+r_dir_file(system_server, appdomain)
+
+# Write to /proc/pid/oom_adj_score for apps.
+allow system_server appdomain:file write;
 
 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
 allow system_server qtaguid_proc:file rw_file_perms;
@@ -119,11 +121,10 @@
 binder_call(system_server, dumpstate)
 binder_service(system_server)
 
-# Read /proc/pid files for Binder clients.
-r_dir_file(system_server, appdomain)
+# Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, mediaserver)
-allow system_server appdomain:process getattr;
-allow system_server mediaserver:process getattr;
+r_dir_file(system_server, sdcardd)
+r_dir_file(system_server, surfaceflinger)
 
 # Use sockets received over binder from various services.
 allow system_server mediaserver:tcp_socket rw_socket_perms;
@@ -210,11 +211,6 @@
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
 
-# Allow reading of /proc/pid data for other domains.
-# XXX dontaudit candidate
-allow system_server domain:dir r_dir_perms;
-allow system_server domain:file r_file_perms;
-
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;