From b84c86b21127be48850a3c533ee1a1da3bc0e195 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 12 May 2016 15:49:02 -0700
Subject: [PATCH] DO NOT MERGE. Remove isolated_app's ability to read sysfs.

untrusted_app lost the ability to read files labeled as sysfs to prevent
information leakage, but this is trivially bypassable by spawning an
isolated app, since this was not taken away from isolated app.
Privileges should not be gained by launching an isolated app, and this
one directly defeats that hardeneing. Remove this access.

Bug: 28722489
Change-Id: I61d3678eca515351c9dbe4444ee39d0c89db7a3e
---
 domain_deprecated.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/domain_deprecated.te b/domain_deprecated.te
index e5bfb1c88..00fb516a3 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -54,7 +54,7 @@ allow domain_deprecated ion_device:chr_file rw_file_perms;
 
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
+r_dir_file({ domain_deprecated -isolated_app }, sysfs)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
-- 
GitLab