From c18121811c59335b4b59e8ffc52179ad6049640b Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 6 Mar 2014 13:27:01 -0500
Subject: [PATCH] Deduplicate and rationalize system_server /proc/pid access.

The system_server has duplicate/overlapping rules regarding
/proc/pid access as well as a lack of clarity on the reason
for the different rules.  Deduplicate the rules and clarify
the purpose of different sets of rules.

Replace the rules granting /proc/pid access for all domains with
specific rules only for domains that we know should be accessible
by the system_server, i.e. all apps (appdomain) and the set of
native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST.

Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 system_server.te | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/system_server.te b/system_server.te
index 9b7b85ad3..b59f5a359 100644
--- a/system_server.te
+++ b/system_server.te
@@ -74,9 +74,11 @@ allow system_server appdomain:process { sigkill signal };
 allow system_server appdomain:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
 
-# Read /proc data for apps.
-allow system_server appdomain:dir r_dir_perms;
-allow system_server appdomain:{ file lnk_file } rw_file_perms;
+# Read /proc/pid data for apps.
+r_dir_file(system_server, appdomain)
+
+# Write to /proc/pid/oom_adj_score for apps.
+allow system_server appdomain:file write;
 
 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
 allow system_server qtaguid_proc:file rw_file_perms;
@@ -119,11 +121,10 @@ binder_call(system_server, appdomain)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
 
-# Read /proc/pid files for Binder clients.
-r_dir_file(system_server, appdomain)
+# Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, mediaserver)
-allow system_server appdomain:process getattr;
-allow system_server mediaserver:process getattr;
+r_dir_file(system_server, sdcardd)
+r_dir_file(system_server, surfaceflinger)
 
 # Use sockets received over binder from various services.
 allow system_server mediaserver:tcp_socket rw_socket_perms;
@@ -210,11 +211,6 @@ allow system_server cache_file:file { relabelfrom create_file_perms };
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
 
-# Allow reading of /proc/pid data for other domains.
-# XXX dontaudit candidate
-allow system_server domain:dir r_dir_perms;
-allow system_server domain:file r_file_perms;
-
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;
-- 
GitLab