commit e7f4934d064b0c16b5968982b646c3c28d3c7b80
author Tri Vo <trong@google.com> Tue Nov 14 16:32:36 2017 -0800
committer Tri Vo <trong@google.com> Thu Nov 16 12:30:53 2017 -0800
tree a19943e3bafbb103f5e377ea4c506d9514d9b0a2
parent 29fc85eeab3077a8aa8515e9326b4b39960df939

system_server: access to /proc/sys/fs/pipe-max-size

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 93c6a57..d2a0c5e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -124,24 +124,15 @@
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
 
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
 # Write /proc/uid_cputime/remove_uid_range.
 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 
 # Write /proc/uid_procstat/set.
 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
 
-# Read /proc/uid_time_in_state.
-allow system_server proc_uid_time_in_state:file r_file_perms;
-
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
@@ -690,12 +681,19 @@
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_loadavg)
-r_dir_file(system_server, proc_meminfo)
 r_dir_file(system_server, proc_net)
-r_dir_file(system_server, proc_pagetypeinfo)
-r_dir_file(system_server, proc_version)
-r_dir_file(system_server, proc_vmallocinfo)
+allow system_server {
+  proc_loadavg
+  proc_meminfo
+  proc_pagetypeinfo
+  proc_pipe_conf
+  proc_stat
+  proc_uid_cputime_showstat
+  proc_uid_time_in_state
+  proc_version
+  proc_vmallocinfo
+}:file r_file_perms;
+
 r_dir_file(system_server, rootfs)
 
 ### Rules needed when Light HAL runs inside system_server process.