Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f25ea5f9c00dff32a2d04c7af3e76d0efac28a7c^! / .
commitf25ea5f9c00dff32a2d04c7af3e76d0efac28a7c[log] [tgz]
authordcashman <dcashman@google.com>Tue Feb 23 17:09:48 2016 -0800
committerdcashman <dcashman@google.com>Wed Feb 24 07:38:28 2016 -0800
tree73875dd546241f9cd32bd4449d5b1114b1acfdd9
parent7905d6819efc5f3052bc4eaa6da8b40c03f3abb1 [diff]
Label /proc/meminfo.

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

(cherry-pick of internal commit: 971aeeda2138b27e3f8850f2fd7c95f60508154c)

Bug: 22032619
Chromium Bug: 586021

Change-Id: I2dcb2d4800bbc92ea47c37d4fd7a10f827a0114c

diff --git a/domain_deprecated.te b/domain_deprecated.te
index ed88cca..4da7a31 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te

@@ -57,6 +57,7 @@
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
+r_dir_file(domain_deprecated, proc_meminfo)
 r_dir_file(domain_deprecated, proc_net)
 
 # Get SELinux enforcing status.

diff --git a/file.te b/file.te
index d205c56..1998669 100644
--- a/file.te
+++ b/file.te

@@ -14,6 +14,7 @@
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_iomem, fs_type;
+type proc_meminfo, fs_type;
 type proc_net, fs_type;
 type proc_sysrq, fs_type;
 type proc_uid_cputime_showstat, fs_type;

diff --git a/genfs_contexts b/genfs_contexts
index 3f865c4..2700a94 100644
--- a/genfs_contexts
+++ b/genfs_contexts

@@ -3,6 +3,7 @@
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0

diff --git a/untrusted_app.te b/untrusted_app.te
index 1b2d89e..fd55653 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -89,9 +89,13 @@
 # for files. Suppress the denials when they occur.
 dontaudit untrusted_app exec_type:file getattr;
 
-# TODO: access of /proc/meminfo, give specific label or switch to
-# using meminfo service
+# TODO: switch to meminfo service
+allow untrusted_app proc_meminfo:file r_file_perms;
+
+# https://code.google.com/p/chromium/issues/detail?id=586021
 allow untrusted_app proc:file r_file_perms;
+auditallow untrusted_app proc:file r_file_perms;
+
 # access /proc/net/xt_qtguid/stats
 r_dir_file(untrusted_app, proc_net)