init: restrict setattr perms to /proc.

Bug: 65643247 Test: device boots without denials from init to proc_* Change-Id: I44729e791366cdedec27603558b2e929fa414168

init: restrict setattr perms to /proc.
d0fe17ca · Tri Vo · 80966397 · d0fe17ca
Commit d0fe17ca authored Mar 29, 2018 by Tri Vo
--- a/public/init.te
+++ b/public/init.te
@@ -227,7 +227,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
 allow init {
  fs_type
  -contextmount_type
-  -proc
+  -proc_type
  -sdcard_type
  -sysfs_type
  -rootfs
@@ -311,6 +311,17 @@ allow init {
  proc_security
 }:file rw_file_perms;

+# init chmod/chown access to /proc files.
+allow init {
+  proc_cmdline
+  proc_kmsg
+  proc_net
+  proc_qtaguid_stat
+  proc_sysrq
+  proc_qtaguid_ctrl
+  proc_vmallocinfo
+}:file setattr;
+
 # init access to /sys files.
 allow init {
  sysfs_android_usb