From 528da6fe3a0dbe4ae15355dff0152ab5f55197da Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 13 Sep 2017 14:34:56 -0700
Subject: [PATCH] Explicitly label logd's dependencies in /proc.

labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to
proc_kmsg, and added a compat mapping.

Bug: 65643247
Test: device boots without selinux denials to the newly introduced proc_kmsg
Test: logd-unit-tests passes
Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
---
 private/compat/26.0/26.0.cil | 2 +-
 private/genfs_contexts       | 1 +
 public/file.te               | 1 +
 public/logd.te               | 2 +-
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index bdd16f198..9f1643b8d 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -446,7 +446,7 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_uid_time_in_state))
+(typeattributeset proc_26_0 (proc proc_uid_time_in_state proc_kmsg))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e77a39b92..e0375d158 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -5,6 +5,7 @@ genfscon proc / u:object_r:proc:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
diff --git a/public/file.te b/public/file.te
index bcdc4612b..b49ff78b7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -16,6 +16,7 @@ type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
+type proc_kmsg, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
 type proc_modules, fs_type;
diff --git a/public/logd.te b/public/logd.te
index 62bff9739..c47bfd744 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,7 +4,7 @@ type logd_exec, exec_type, file_type;
 
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
-r_dir_file(logd, proc)
+r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
 r_dir_file(logd, proc_net)
 
-- 
GitLab