From c15d54ef1a245584d157aa55b80b78e24b4d4da9 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 25 Jul 2017 16:43:49 -0700
Subject: [PATCH] domain_deprecated: remove proc access

Remove "granted" logspam. Grante the observed permissions to the
individual processes that need them and remove the permission from
domain_deprecated.

avc: granted { read open } for comm="ndroid.settings"
path="/proc/version" dev="proc" ino=4026532081
scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { getattr } for comm=4173796E635461736B202332
path="/proc/pagetypeinfo" dev="proc" ino=4026532129
scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: granted { read open } for comm="uncrypt" path="/proc/cmdline"
dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0
tcontext=u:object_r:proc:s0 tclass=file

avc: granted { read open } for comm="update_engine"
path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829
scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: granted { read open } for comm="tiveportallogin"
path="/proc/vmstat" dev="proc" ino=4026532130
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0
tclass=file

This change is specifically not granting the following since it
should not be allowed:
avc: granted { read open } for comm="crash_dump64"
path="/proc/filesystems" dev="proc" ino=4026532416
scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for comm="crash_dump64" name="filesystems"
dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { getattr } for comm="crash_dump64"
path="/proc/filesystems" dev="proc" ino=4026532416
scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 64032843
Bug: 28760354
Test: build
Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
---
 private/domain_deprecated.te   | 17 -----------------
 private/platform_app.te        |  3 +++
 private/system_app.te          |  3 +++
 public/uncrypt.te              |  3 +++
 public/update_engine_common.te |  6 ++----
 5 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index ccb7e855c..a440bfe54 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -1,26 +1,9 @@
 # rules removed from the domain attribute
 
 # Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 
 userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -sdcardd
-  -system_server
-  -update_engine
-  -vold
-} proc:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -system_server
-  -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
   domain_deprecated
   -fingerprintd
diff --git a/private/platform_app.te b/private/platform_app.te
index 047cca45f..a8bb1c285 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,6 +41,9 @@ allow platform_app vfat:file create_file_perms;
 # com.android.systemui
 allow platform_app rootfs:dir getattr;
 
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app proc:file r_file_perms;
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 80afcb946..803ee4424 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,5 +84,8 @@ allow system_app keystore:keystore_key {
 # /sys access
 r_dir_file(system_app, sysfs_type)
 
+# settings app reads /proc/version and /proc/pagetypeinfo
+allow system_app proc:file r_file_perms;
+
 control_logd(system_app)
 read_runtime_log_tags(system_app)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index d10eb3916..59f7da363 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -37,3 +37,6 @@ allow uncrypt block_device:dir r_dir_perms;
 allow uncrypt userdata_block_device:blk_file w_file_perms;
 
 r_dir_file(uncrypt, rootfs)
+
+# uncrypt reads /proc/cmdline
+allow uncrypt proc:file r_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e9bf24fd2..2a0266ed6 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,10 +38,8 @@ allow update_engine_common shell_exec:file rx_file_perms;
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };
 
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
 allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
-- 
GitLab