From 26cd912e6c4d6a125a646216fc22c2904407e295 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 13 Jul 2015 08:39:17 -0700
Subject: [PATCH] Give /proc/iomem a more specific label.

/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.

Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f
---
 file.te        | 1 +
 genfs_contexts | 1 +
 2 files changed, 2 insertions(+)

diff --git a/file.te b/file.te
index 0e08a38b5..623bb8df3 100644
--- a/file.te
+++ b/file.te
@@ -11,6 +11,7 @@ type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
+type proc_iomem, fs_type;
 type proc_net, fs_type;
 type proc_sysrq, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 4b16ffc1f..c2c5bb7bb 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -2,6 +2,7 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-- 
GitLab