From c4ef36300629f2a7f72fc7d7177af464a164ad09 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Mon, 13 Nov 2017 09:50:03 -0800
Subject: [PATCH] shell: neverallow access to 'proc' label.

Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
---
 private/domain.te |  1 -
 public/shell.te   | 23 ++++++++++++++---------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index 66fb64024..ec3421399 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -27,7 +27,6 @@ full_treble_only(`
     -dumpstate
     -platform_app
     -priv_app
-    -shell
     -system_app
     -vold
     -vendor_init
diff --git a/public/shell.te b/public/shell.te
index 3ef14866c..cac84d42b 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -107,16 +107,21 @@ hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 
 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc)
 r_dir_file(shell, proc_net)
-allow shell proc_filesystems:file r_file_perms;
-allow shell proc_interrupts:file r_file_perms;
-allow shell proc_meminfo:file r_file_perms;
-allow shell proc_modules:file r_file_perms;
-allow shell proc_stat:file r_file_perms;
-allow shell proc_timer:file r_file_perms;
-allow shell proc_version:file r_file_perms;
-allow shell proc_zoneinfo:file r_file_perms;
+
+allow shell {
+  proc_asound
+  proc_filesystems
+  proc_interrupts
+  proc_meminfo
+  proc_modules
+  proc_stat
+  proc_timer
+  proc_uptime
+  proc_version
+  proc_zoneinfo
+}:file r_file_perms;
+
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
-- 
GitLab