Merge "shell: neverallow access to 'proc' label." am: 6faa3a1a am: 51251212

am: feabf294 Change-Id: Id66b3cd36f5b7306de3684714b22a4ff51842e6f

Merge "shell: neverallow access to 'proc' label." am: 6faa3a1a am: 51251212
d7679834 · Tri Vo · android-build-merger · 1262e5fa · feabf294 · d7679834
Commit d7679834 authored 7 years ago by Tri Vo Committed by android-build-merger 7 years ago
--- a/private/domain.te
+++ b/private/domain.te
@@ -27,7 +27,6 @@ full_treble_only(`
    -dumpstate
    -platform_app
    -priv_app
-    -shell
    -system_app
    -vold
    -vendor_init

--- a/public/shell.te
+++ b/public/shell.te
@@ -107,16 +107,21 @@ hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc)
 r_dir_file(shell, proc_net)
-allow shell proc_filesystems:file r_file_perms;
-allow shell proc_interrupts:file r_file_perms;
+allow shell {
-allow shell proc_meminfo:file r_file_perms;
+  proc_asound
-allow shell proc_modules:file r_file_perms;
+  proc_filesystems
-allow shell proc_stat:file r_file_perms;
+  proc_interrupts
-allow shell proc_timer:file r_file_perms;
+  proc_meminfo
-allow shell proc_version:file r_file_perms;
+  proc_modules
-allow shell proc_zoneinfo:file r_file_perms;
+  proc_stat
+  proc_timer
+  proc_uptime
+  proc_version
+  proc_zoneinfo
+}:file r_file_perms;
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };