Skip to content
Snippets Groups Projects
Commit 50bb7b5a authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Label /proc/misc 

Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75
parent afb082e3
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/genfs_contexts
+ 1
0
View file @ 50bb7b5a
...@@ -6,6 +6,7 @@ genfscon proc /config.gz u:object_r:config_gz:s0 ...@@ -6,6 +6,7 @@ genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0 genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0 genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0 genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /net u:object_r:proc_net:s0 genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
......
private/untrusted_app_25.te
+ 4
0
View file @ 50bb7b5a
...@@ -31,3 +31,7 @@ create_pty(untrusted_app_25) ...@@ -31,3 +31,7 @@ create_pty(untrusted_app_25)
# b/34115651 - net.dns* properties read # b/34115651 - net.dns* properties read
# This will go away in a future Android release # This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop) get_prop(untrusted_app_25, net_dns_prop)
# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;
public/file.te
+ 1
0
View file @ 50bb7b5a
...@@ -16,6 +16,7 @@ type proc_cpuinfo, fs_type; ...@@ -16,6 +16,7 @@ type proc_cpuinfo, fs_type;
type proc_interrupts, fs_type; type proc_interrupts, fs_type;
type proc_iomem, fs_type; type proc_iomem, fs_type;
type proc_meminfo, fs_type; type proc_meminfo, fs_type;
type proc_misc, fs_type;
type proc_net, fs_type; type proc_net, fs_type;
type proc_stat, fs_type; type proc_stat, fs_type;
type proc_sysrq, fs_type; type proc_sysrq, fs_type;
......
public/update_engine_common.te
+ 4
1
View file @ 50bb7b5a
...@@ -33,7 +33,10 @@ allow update_engine_common shell_exec:file rx_file_perms; ...@@ -33,7 +33,10 @@ allow update_engine_common shell_exec:file rx_file_perms;
allow update_engine_common postinstall:process { signal sigstop }; allow update_engine_common postinstall:process { signal sigstop };
# access /proc/misc # access /proc/misc
allow update_engine proc:file r_file_perms; # Access is also granted to proc:file, but it is likely unneeded
# due to the more specific grant to proc_misc immediately below.
allow update_engine proc:file r_file_perms; # delete candidate
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor # read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms; allow update_engine system_file:dir r_dir_perms;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment