From 2de02877a30e73bdf30fb2bf9cc4957f9ddbf996 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 26 Sep 2014 10:51:12 -0700
Subject: [PATCH] zygote: allow replacing /proc/cpuinfo

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20
---
 domain.te      | 1 +
 file.te        | 1 +
 genfs_contexts | 1 +
 zygote.te      | 4 ++++
 4 files changed, 7 insertions(+)

diff --git a/domain.te b/domain.te
index a3dd21743..23803df1a 100644
--- a/domain.te
+++ b/domain.te
@@ -138,6 +138,7 @@ r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, inotify)
 r_dir_file(domain, cgroup)
 r_dir_file(domain, proc_net)
+allow domain proc_cpuinfo:file r_file_perms;
 
 # debugfs access
 allow domain debugfs:dir r_dir_perms;
diff --git a/file.te b/file.te
index e50196c4d..1eb323e47 100644
--- a/file.te
+++ b/file.te
@@ -10,6 +10,7 @@ type proc_security, fs_type;
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_cpuinfo, fs_type;
 type proc_net, fs_type;
 type proc_sysrq, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index ab4e045a2..31b7e4f64 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -4,6 +4,7 @@ genfscon rootfs / u:object_r:rootfs:s0
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
diff --git a/zygote.te b/zygote.te
index c2a239593..4c6276c8c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -42,6 +42,10 @@ selinux_check_access(zygote)
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(zygote)
 
+# Native bridge functionality requires that zygote replaces
+# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
+allow zygote proc_cpuinfo:file mounton;
+
 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;
 allow zygote sdcard_type:dir { write search setattr create add_name mounton };
-- 
GitLab