commit fa8f67b2cc435686050057d0e4e103edf7b43aa0
author Tri Vo <trong@google.com> Fri Nov 03 15:35:41 2017 -0700
committer Tri Vo <trong@google.com> Wed Nov 08 14:39:03 2017 -0800
tree 639111175f885fffa2854886f3ba42cf9feae82a
parent d1cf3a405693172020d6199480968f2c4ecde64d

init: refactor access to proc_* labels.

Bug: 68949041
Test: device builds, boots, no denials from init.

Change-Id: Iedefac8d70512fd614ca06117f42a7887f6ab649

public/init.te

diff --git a/public/init.te b/public/init.te
index bc10a82..06f6231 100644
--- a/public/init.te
+++ b/public/init.te
@@ -206,7 +206,12 @@
 allow init debugfs_wifi_tracing:file w_file_perms;
 
 # chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
+allow init {
+  fs_type
+  -contextmount_type
+  -sdcard_type
+  -rootfs
+}:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
 # init should not be able to read or open generic devices
@@ -252,37 +257,37 @@
 allow init kernel:system syslog_mod;
 allow init self:capability2 syslog;
 
-# Set usermodehelpers and /proc security settings.
+# init access to /proc.
+r_dir_file(init, proc_net)
+
+allow init {
+  proc_cmdline
+  proc_meminfo
+  proc_overflowuid
+  proc_stat # Read /proc/stat for bootchart.
+  proc_version
+}:file r_file_perms;
+
+allow init {
+  proc_net
+  proc_overcommit_memory
+  proc_page_cluster
+  proc_sysrq
+}:file w_file_perms;
+
+allow init {
+  proc_security
+}:file rw_file_perms;
+
+# Set usermodehelpers.
 allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
 
 # Write to /proc/sys/kernel/panic_on_oops.
 r_dir_file(init, proc)
 allow init proc:file w_file_perms;
 
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(init, proc_net)
-allow init proc_net:file w_file_perms;
 allow init self:capability net_admin;
 
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
-
-# Read /proc/stat for bootchart.
-allow init proc_stat:file r_file_perms;
-
-# Read /proc/version.
-allow init proc_version:file r_file_perms;
-
-# Read /proc/cmdline
-allow init proc_cmdline:file r_file_perms;
-
-# Write to /proc/sys/vm/page-cluster
-allow init proc_page_cluster:file w_file_perms;
-
-# Read /proc/sys/kernel/overflowuid
-allow init proc_overflowuid:file r_file_perms;
-
 # Reboot.
 allow init self:capability sys_boot;
 
@@ -414,7 +419,6 @@
 
 r_dir_file(init, system_file)
 r_dir_file(init, vendor_file_type)
-allow init proc_meminfo:file r_file_perms;
 
 allow init system_data_file:file { getattr read };
 allow init system_data_file:lnk_file r_file_perms;