Merge "fine-grained policy for access to /proc/zoneinfo"

89a8ed4e · Nick Kralevich · Gerrit Code Review · c0937b6e · 7078e8b6 · 89a8ed4e
Commit 89a8ed4e authored 8 years ago by Nick Kralevich Committed by Gerrit Code Review 8 years ago
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -144,3 +144,4 @@ allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
--- a/file.te
+++ b/file.te
@@ -22,6 +22,7 @@ type proc_sysrq, fs_type;
 type proc_timer, fs_type;
 type proc_uid_cputime_showstat, fs_type;
 type proc_uid_cputime_removeuid, fs_type;
+type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;

--- a/genfs_contexts
+++ b/genfs_contexts
@@ -31,6 +31,7 @@ genfscon proc /timer_list u:object_r:proc_timer:s0
 genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0

--- a/lmkd.te
+++ b/lmkd.te
@@ -32,6 +32,8 @@ allow lmkd cgroup:dir { remove_name rmdir };
 # Set self to SCHED_FIFO
 allow lmkd self:capability sys_nice;
+allow lmkd proc_zoneinfo:file r_file_perms;
 ### neverallow rules
 # never honor LD_PRELOAD

--- a/shell.te
+++ b/shell.te
@@ -93,6 +93,7 @@ allow shell proc_interrupts:file r_file_perms;
 allow shell proc_meminfo:file r_file_perms;
 allow shell proc_stat:file r_file_perms;
 allow shell proc_timer:file r_file_perms;
+allow shell proc_zoneinfo:file r_file_perms;
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };