From 7a35c136a4486bd14493b7b333a14a2db8db861e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 31 Mar 2016 14:11:50 -0700
Subject: [PATCH] bootanim: allow /proc/meminfo read

Allow /proc/meminfo to be read by bootanim. Not sure why
it's needed, but harmless enough.

Modify domain_deprecated so it doesn't use r_dir_file().
/proc/meminfo is neither a symlink nor a directory, so it doesn't
make sense to create allow rules for those classes of objects.

Addresses the following denial:

  avc: denied { read } for comm="BootAnimation" name="meminfo" dev="proc"
  ino=4026536593 scontext=u:r:bootanim:s0
  tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

This denial is only showing up on flounder, flounder_lte, or
dragon devices. I'm not sure why.

Change-Id: I0f808bcae47fc2fda512cd147c3b44593835cac5
---
 bootanim.te          | 1 +
 domain_deprecated.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/bootanim.te b/bootanim.te
index fa0e4dca1..91a50d5d1 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -23,6 +23,7 @@ allow bootanim ion_device:chr_file rw_file_perms;
 
 # Read access to pseudo filesystems.
 r_dir_file(bootanim, proc)
+allow bootanim proc_meminfo:file r_file_perms;
 r_dir_file(bootanim, sysfs)
 r_dir_file(bootanim, cgroup)
 
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 4da7a3190..e5bfb1c88 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -57,7 +57,7 @@ r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
-r_dir_file(domain_deprecated, proc_meminfo)
+allow domain_deprecated proc_meminfo:file r_file_perms;
 r_dir_file(domain_deprecated, proc_net)
 
 # Get SELinux enforcing status.
-- 
GitLab