From f92cfb9e4f5fe5a967bca4f710a4723e67e8123c Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Fri, 8 Dec 2017 15:37:01 -0800
Subject: [PATCH] priv_app: remove access to 'proc' and 'sysfs' types.

Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63
---
 private/domain.te   |  2 --
 private/priv_app.te | 15 ++++++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index f66185d75..8a410975b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@ full_treble_only(`
   neverallow {
     coredomain
     -dumpstate
-    -priv_app
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;
@@ -35,7 +34,6 @@ full_treble_only(`
     coredomain
     -dumpstate
     -init
-    -priv_app
     -ueventd
     -vold
     -vendor_init
diff --git a/private/priv_app.te b/private/priv_app.te
index e3eec831d..dcf757271 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -77,9 +77,17 @@ userdebug_or_eng(`
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
 
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+  proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
 r_dir_file(priv_app, rootfs)
 
 # Allow GMS core to open kernel config for OTA matching through libvintf
@@ -129,6 +137,7 @@ unix_socket_connect(priv_app, traced_producer, traced)
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
+dontaudit priv_app proc:file read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
 dontaudit priv_app proc_version:file read;
-- 
GitLab