diff options
| author | Nick Kralevich <nnk@google.com> | 2015-12-22 16:41:27 -0800 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2015-12-22 16:48:47 -0800 |
| commit | f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73 (patch) | |
| tree | fa54a324bdff7037f3d2e4cbcbde88b7b3c3ccb8 | |
| parent | 9c5b4a8a443abfd72db79a74c1dbe990bfcb0210 (diff) | |
| download | sepolicy-f8f937a16fdbb0b9a956f0d1b1c7cf9d7651bf73.tar.gz | |
undeprecate /proc/cpuinfo, more shell permissions
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba83fb47297c8908016397c8f17840c4. Restore access to everyone.
Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.
Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.
Commit 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.
Addresses the following denials:
avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
| -rw-r--r-- | bootanim.te | 2 | ||||
| -rw-r--r-- | domain.te | 3 | ||||
| -rw-r--r-- | domain_deprecated.te | 1 | ||||
| -rw-r--r-- | shell.te | 7 |
4 files changed, 10 insertions, 3 deletions
diff --git a/bootanim.te b/bootanim.te index 159fd9e..550c6dc 100644 --- a/bootanim.te +++ b/bootanim.te @@ -28,9 +28,7 @@ allow bootanim ion_device:chr_file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(bootanim, proc) r_dir_file(bootanim, sysfs) -r_dir_file(bootanim, sysfs_devices_system_cpu) r_dir_file(bootanim, cgroup) -allow bootanim proc_cpuinfo:file r_file_perms; # System file accesses. allow bootanim system_file:dir r_dir_perms; @@ -109,6 +109,9 @@ allow domain system_data_file:lnk_file read; # required by the dynamic linker allow domain proc:lnk_file read; +# /proc/cpuinfo +allow domain proc_cpuinfo:file r_file_perms; + # toybox loads libselinux which stats /sys/fs/selinux/ allow domain selinuxfs:file getattr; allow domain sysfs:dir search; diff --git a/domain_deprecated.te b/domain_deprecated.te index cd1a08c..7be9a3e 100644 --- a/domain_deprecated.te +++ b/domain_deprecated.te @@ -66,7 +66,6 @@ r_dir_file(domain_deprecated, sysfs) r_dir_file(domain_deprecated, inotify) r_dir_file(domain_deprecated, cgroup) r_dir_file(domain_deprecated, proc_net) -allow domain_deprecated proc_cpuinfo:file r_file_perms; # Get SELinux enforcing status. allow domain_deprecated selinuxfs:dir r_dir_perms; @@ -96,6 +96,13 @@ r_dir_file(shell, cgroup) allow shell domain:dir { search open read getattr }; allow shell domain:{ file lnk_file } { open read getattr }; +# statvfs() of /proc and other labeled filesystems +# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) +allow shell { proc labeledfs }:filesystem getattr; + +# stat() of /dev +allow shell device:dir getattr; + # allow shell to read /proc/pid/attr/current for ps -Z allow shell domain:process getattr; |