Skip to content
Snippets Groups Projects
Commit 0746a306 authored by Tri Vo's avatar Tri Vo Committed by Android (Google) Code Review
Browse files

Merge changes from topic "dontaudit_proc_sys" into pi-dev 

* changes:
  silence innocuous denials to /proc and /sys
  proc_type attribute for files under /proc.
parents 2867f5c3 f170dfb7
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/file.te
+ 1
1
View file @ 0746a306
# /proc/config.gz # /proc/config.gz
type config_gz, fs_type; type config_gz, fs_type, proc_type;
# /data/misc/stats-data, /data/misc/stats-service # /data/misc/stats-data, /data/misc/stats-service
type stats_data_file, file_type, data_file_type, core_data_file_type; type stats_data_file, file_type, data_file_type, core_data_file_type;
......
public/attributes
+ 4
1
View file @ 0746a306
...@@ -36,7 +36,10 @@ expandattribute core_data_file_type false; ...@@ -36,7 +36,10 @@ expandattribute core_data_file_type false;
# All types in /vendor # All types in /vendor
attribute vendor_file_type; attribute vendor_file_type;
# All types use for sysfs files. # All types used for procfs files.
attribute proc_type;
# All types used for sysfs files.
attribute sysfs_type; attribute sysfs_type;
# All types use for debugfs files. # All types use for debugfs files.
......
public/domain.te
+ 11
0
View file @ 0746a306
...@@ -1321,3 +1321,14 @@ neverallow { ...@@ -1321,3 +1321,14 @@ neverallow {
-zygote -zygote
} self:capability dac_override; } self:capability dac_override;
neverallow domain self:capability dac_read_search; neverallow domain self:capability dac_read_search;
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
neverallow domain {
proc_type
sysfs_type
}:dir { add_name create link remove_name rename reparent rmdir write };
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
public/file.te
+ 58
58
View file @ 0746a306
...@@ -3,65 +3,65 @@ type labeledfs, fs_type; ...@@ -3,65 +3,65 @@ type labeledfs, fs_type;
type pipefs, fs_type; type pipefs, fs_type;
type sockfs, fs_type; type sockfs, fs_type;
type rootfs, fs_type; type rootfs, fs_type;
type proc, fs_type; type proc, fs_type, proc_type;
# Security-sensitive proc nodes that should not be writable to most. # Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type; type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type; type proc_drop_caches, fs_type, proc_type;
type proc_overcommit_memory, fs_type; type proc_overcommit_memory, fs_type, proc_type;
type proc_min_free_order_shift, fs_type; type proc_min_free_order_shift, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type; type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type; type sysfs_usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject; type qtaguid_proc, fs_type, mlstrustedobject, proc_type;
type proc_qtaguid_stat, fs_type, mlstrustedobject; type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
type proc_bluetooth_writable, fs_type; type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type; type proc_abi, fs_type, proc_type;
type proc_asound, fs_type; type proc_asound, fs_type, proc_type;
type proc_buddyinfo, fs_type; type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type; type proc_cmdline, fs_type, proc_type;
type proc_cpuinfo, fs_type; type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type; type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type; type proc_diskstats, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type; type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type; type proc_filesystems, fs_type, proc_type;
type proc_hostname, fs_type; type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type; type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type; type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type; type proc_iomem, fs_type, proc_type;
type proc_kmsg, fs_type; type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type; type proc_loadavg, fs_type, proc_type;
type proc_max_map_count, fs_type; type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type; type proc_meminfo, fs_type, proc_type;
type proc_misc, fs_type; type proc_misc, fs_type, proc_type;
type proc_modules, fs_type; type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type; type proc_mounts, fs_type, proc_type;
type proc_net, fs_type; type proc_net, fs_type, proc_type;
type proc_page_cluster, fs_type; type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type; type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type; type proc_panic, fs_type, proc_type;
type proc_perf, fs_type; type proc_perf, fs_type, proc_type;
type proc_pid_max, fs_type; type proc_pid_max, fs_type, proc_type;
type proc_pipe_conf, fs_type; type proc_pipe_conf, fs_type, proc_type;
type proc_random, fs_type; type proc_random, fs_type, proc_type;
type proc_sched, fs_type; type proc_sched, fs_type, proc_type;
type proc_stat, fs_type; type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type; type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type; type proc_sysrq, fs_type, proc_type;
type proc_timer, fs_type; type proc_timer, fs_type, proc_type;
type proc_tty_drivers, fs_type; type proc_tty_drivers, fs_type, proc_type;
type proc_uid_cputime_showstat, fs_type; type proc_uid_cputime_showstat, fs_type, proc_type;
type proc_uid_cputime_removeuid, fs_type; type proc_uid_cputime_removeuid, fs_type, proc_type;
type proc_uid_io_stats, fs_type; type proc_uid_io_stats, fs_type, proc_type;
type proc_uid_procstat_set, fs_type; type proc_uid_procstat_set, fs_type, proc_type;
type proc_uid_time_in_state, fs_type; type proc_uid_time_in_state, fs_type, proc_type;
type proc_uid_concurrent_active_time, fs_type; type proc_uid_concurrent_active_time, fs_type, proc_type;
type proc_uid_concurrent_policy_time, fs_type; type proc_uid_concurrent_policy_time, fs_type, proc_type;
type proc_uid_cpupower, fs_type; type proc_uid_cpupower, fs_type, proc_type;
type proc_uptime, fs_type; type proc_uptime, fs_type, proc_type;
type proc_version, fs_type; type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type; type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type; type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type; type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject; type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject; type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type; type cgroup_bpf, fs_type;
...@@ -83,10 +83,10 @@ type sysfs_net, fs_type, sysfs_type; ...@@ -83,10 +83,10 @@ type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type; type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type; type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type; type sysfs_switch, fs_type, sysfs_type;
type sysfs_usb, sysfs_type, file_type, mlstrustedobject; type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type; type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type; type sysfs_fs_ext4_features, sysfs_type, fs_type;
type fs_bpf, fs_type, sysfs_type; type fs_bpf, fs_type;
type configfs, fs_type; type configfs, fs_type;
# /sys/devices/system/cpu # /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type; type sysfs_devices_system_cpu, fs_type, sysfs_type;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment