From abf31acb01f85ade4b97b05f9893d270b915b7b6 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 5 Feb 2016 15:13:36 -0800
Subject: [PATCH] Allow domain to read proc dirs.

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc.  Many processes try
to read proc dirs, though.  Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3
---
 domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 33656e4a5..b2117db1a 100644
--- a/domain.te
+++ b/domain.te
@@ -22,7 +22,7 @@ allow domain self:process {
     setrlimit
 };
 allow domain self:fd use;
-allow domain proc:dir search;
+allow domain proc:dir r_dir_perms;
 allow domain proc_net:dir search;
 r_dir_file(domain, self)
 allow domain self:{ fifo_file file } rw_file_perms;
-- 
GitLab