From e7f4934d064b0c16b5968982b646c3c28d3c7b80 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 14 Nov 2017 16:32:36 -0800
Subject: [PATCH] system_server: access to /proc/sys/fs/pipe-max-size

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59
---
 private/compat/26.0/26.0.cil |  1 +
 private/genfs_contexts       |  1 +
 private/system_server.te     | 26 ++++++++++++--------------
 public/dumpstate.te          | 15 +++++++++------
 public/file.te               |  1 +
 5 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a1e6b5fde..e58fa4ed8 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -467,6 +467,7 @@
     proc_page_cluster
     proc_pagetypeinfo
     proc_panic
+    proc_pipe_conf
     proc_random
     proc_sched
     proc_swaps
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 9c08934d5..4f3a96ca6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -24,6 +24,7 @@ genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /swaps u:object_r:proc_swaps:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
diff --git a/private/system_server.te b/private/system_server.te
index 93c6a57ee..d2a0c5e28 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -124,24 +124,15 @@ r_dir_file(system_server, domain)
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
 
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
 # Write /proc/uid_cputime/remove_uid_range.
 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 
 # Write /proc/uid_procstat/set.
 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
 
-# Read /proc/uid_time_in_state.
-allow system_server proc_uid_time_in_state:file r_file_perms;
-
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
@@ -690,12 +681,19 @@ r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_loadavg)
-r_dir_file(system_server, proc_meminfo)
 r_dir_file(system_server, proc_net)
-r_dir_file(system_server, proc_pagetypeinfo)
-r_dir_file(system_server, proc_version)
-r_dir_file(system_server, proc_vmallocinfo)
+allow system_server {
+  proc_loadavg
+  proc_meminfo
+  proc_pagetypeinfo
+  proc_pipe_conf
+  proc_stat
+  proc_uid_cputime_showstat
+  proc_uid_time_in_state
+  proc_version
+  proc_vmallocinfo
+}:file r_file_perms;
+
 r_dir_file(system_server, rootfs)
 
 ### Rules needed when Light HAL runs inside system_server process.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f8ef840c8..772b63d76 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,12 +151,15 @@ control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
 # Read files in /proc
-allow dumpstate proc_cmdline:file r_file_perms;
-allow dumpstate proc_meminfo:file r_file_perms;
-allow dumpstate proc_net:file r_file_perms;
-allow dumpstate proc_pagetypeinfo:file r_file_perms;
-allow dumpstate proc_version:file r_file_perms;
-allow dumpstate proc_vmallocinfo:file r_file_perms;
+allow dumpstate {
+  proc_cmdline
+  proc_meminfo
+  proc_net
+  proc_pipe_conf
+  proc_pagetypeinfo
+  proc_version
+  proc_vmallocinfo
+}:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
 # Read network state info files.
diff --git a/public/file.te b/public/file.te
index 5353a3dec..29bf9be3e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -38,6 +38,7 @@ type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_panic, fs_type;
 type proc_perf, fs_type;
+type proc_pipe_conf, fs_type;
 type proc_random, fs_type;
 type proc_sched, fs_type;
 type proc_stat, fs_type;
-- 
GitLab