Remove proc and sysfs access from system_app and platform_app.

Bug: 65643247 Test: manual Test: browse internet Test: take a picture Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd

Remove proc and sysfs access from system_app and platform_app.
06d7dca4 · Tri Vo · 04b70519 · 06d7dca4 · 06d7dca4 · 06d7dca4
Commit 06d7dca4 authored 7 years ago by Tri Vo
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -476,7 +476,8 @@
    proc_uid_concurrent_policy_time
    proc_uptime
    proc_version
-    proc_vmallocinfo))
+    proc_vmallocinfo
+    proc_vmstat))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))

--- a/private/domain.te
+++ b/private/domain.te
@@ -25,9 +25,7 @@ full_treble_only(`
  neverallow {
    coredomain
    -dumpstate
-    -platform_app
    -priv_app
-    -system_app
    -vold
    -vendor_init
  } proc:file no_rw_file_perms;
@@ -38,7 +36,6 @@ full_treble_only(`
    -dumpstate
    -init
    -priv_app
-    -system_app
    -ueventd
    -vold
    -vendor_init

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@ genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 # selinuxfs booleans can be individually labeled.

--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,7 +41,9 @@ allow platform_app vfat:file create_file_perms;
 allow platform_app rootfs:dir getattr;
 # com.android.captiveportallogin reads /proc/vmstat
-allow platform_app proc:file r_file_perms;
+allow platform_app {
+  proc_vmstat
+}:file r_file_perms;
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -102,12 +102,8 @@ allow system_app keystore:keystore_key {
    user_changed
 };
-# /sys access
+# settings app reads /proc/version
-r_dir_file(system_app, sysfs_type)
-# settings app reads /proc/version and /proc/pagetypeinfo
 allow system_app {
-  proc
  proc_version
 }:file r_file_perms;

--- a/public/file.te
+++ b/public/file.te
@@ -57,6 +57,7 @@ type proc_uid_concurrent_policy_time, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
+type proc_vmstat, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;