Add proc_cmdline read permission to read_fstab
ReadDefaultFstab() calls fs_mgr_get_boot_config() which could read
/proc/bootconfig and /proc/cmdline.
Bug: 225310919
Test: TH presubmit
Change-Id: Ibe66a41d0d74d7b71dc70436af68b7a7eed721b6
diff --git a/private/gsid.te b/private/gsid.te
index fa76da0..e795cea 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -48,7 +48,7 @@
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
+read_fstab(gsid)
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;
diff --git a/public/te_macros b/public/te_macros
index 06d292c..e70c5d3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1023,7 +1023,7 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
- allow $1 proc_bootconfig:file r_file_perms;
+ allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
')
######################################