From f170dfb789c78dcbbbee3e9493499e8fb7b37c99 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Sat, 17 Mar 2018 13:05:37 -0700
Subject: [PATCH] silence innocuous denials to /proc and /sys

Bug: 74182216
Test: build policy
Change-Id: Idf90c1a96943266d52508ce72b8554d8b5c594c9
(cherry picked from commit 09b1d962eff9e17d05998fa19158c2bb6fe99a01)
---
 public/domain.te | 11 +++++++++++
 public/file.te   |  4 ++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index c46d6fa87..95639c6f9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1319,3 +1319,14 @@ neverallow {
   -zygote
 } self:capability dac_override;
 neverallow domain self:capability dac_read_search;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow domain {
+  proc_type
+  sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
diff --git a/public/file.te b/public/file.te
index c0ea4d867..156fce141 100644
--- a/public/file.te
+++ b/public/file.te
@@ -83,10 +83,10 @@ type sysfs_net, fs_type, sysfs_type;
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
 type sysfs_switch, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_usb, fs_type, sysfs_type;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type fs_bpf, fs_type, sysfs_type;
+type fs_bpf, fs_type;
 type configfs, fs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
-- 
GitLab