From 9fa8ad6eb8d6947e446e5c308da04f75777233a6 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Mon, 2 Oct 2017 15:31:46 -0700
Subject: [PATCH] Give uncrypt access to /proc/cmdline.

Removes uncrypt access to the rest of /proc.
Fixes this denial, which can be triggered from recovery_component_test:
[  142.540819] type=1400 audit(1506983074.139:23): avc: denied { read }
for pid=5767 comm=uncrypt name=cmdline dev=proc ino=4026532114
scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc_cmdline:s0 tclass=file
permissive=0

Bug: 66497047
Test: recovery_component_test --gtest_filter=UncryptTest.*
no more denials to /proc/cmdline
Change-Id: If1a7630779d667d52a0cc44114ef6177982de21c
---
 public/uncrypt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/uncrypt.te b/public/uncrypt.te
index 67189ae15..4437ab7c0 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -39,7 +39,7 @@ allow uncrypt userdata_block_device:blk_file w_file_perms;
 r_dir_file(uncrypt, rootfs)
 
 # uncrypt reads /proc/cmdline
-allow uncrypt proc:file r_file_perms;
+allow uncrypt proc_cmdline:file r_file_perms;
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs)
-- 
GitLab