Skip to content
Snippets Groups Projects
Commit bc1986fb authored by Jeff Vander Stoep's avatar Jeff Vander Stoep Committed by Jeffrey Vander Stoep
Browse files

domain: allow reading /proc/sys/vm/overcommit_memory 

Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a
parent 797f32b2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 3
0
View file @ bc1986fb
...@@ -115,6 +115,9 @@ allow domain proc:lnk_file { getattr read }; ...@@ -115,6 +115,9 @@ allow domain proc:lnk_file { getattr read };
# /proc/cpuinfo # /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms; allow domain proc_cpuinfo:file r_file_perms;
# jemalloc needs to read /proc/sys/vm/overcommit_memory
allow domain proc_overcommit_memory:file r_file_perms;
# toybox loads libselinux which stats /sys/fs/selinux/ # toybox loads libselinux which stats /sys/fs/selinux/
allow domain selinuxfs:dir search; allow domain selinuxfs:dir search;
allow domain selinuxfs:file getattr; allow domain selinuxfs:file getattr;
......
file.te
+ 1
1
View file @ bc1986fb
...@@ -6,8 +6,8 @@ type rootfs, fs_type; ...@@ -6,8 +6,8 @@ type rootfs, fs_type;
type proc, fs_type; type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most. # Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type; type proc_security, fs_type;
# Type for /proc/sys/vm/drop_caches
type proc_drop_caches, fs_type; type proc_drop_caches, fs_type;
type proc_overcommit_memory, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type; type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject; type qtaguid_proc, fs_type, mlstrustedobject;
......
genfs_contexts
+ 1
0
View file @ bc1986fb
...@@ -23,6 +23,7 @@ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 ...@@ -23,6 +23,7 @@ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment