undeprecate /proc/cpuinfo, more shell permissions

am: f8f937a1 * commit 'f8f937a1': undeprecate /proc/cpuinfo, more shell permissions

undeprecate /proc/cpuinfo, more shell permissions
4e036181 · Nick Kralevich · android-build-merger · 654e9129 · f8f937a1 · 4e036181
Commit 4e036181 authored 9 years ago by Nick Kralevich Committed by android-build-merger 9 years ago
--- a/bootanim.te
+++ b/bootanim.te
@@ -28,9 +28,7 @@ allow bootanim ion_device:chr_file rw_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(bootanim, proc)
 r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, sysfs_devices_system_cpu)
 r_dir_file(bootanim, cgroup)
-allow bootanim proc_cpuinfo:file r_file_perms;

 # System file accesses.
 allow bootanim system_file:dir r_dir_perms;
--- a/domain.te
+++ b/domain.te
@@ -109,6 +109,9 @@ allow domain system_data_file:lnk_file read;
 # required by the dynamic linker
 allow domain proc:lnk_file read;

+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
 # toybox loads libselinux which stats /sys/fs/selinux/
 allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;

--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -66,7 +66,6 @@ r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
-allow domain_deprecated proc_cpuinfo:file r_file_perms;

 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;

--- a/shell.te
+++ b/shell.te
@@ -96,6 +96,13 @@ r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };

+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;