From 06d7dca4a1abb9c2d197c2398969704ddaf39dc5 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 10 Jan 2018 12:51:51 -0800
Subject: [PATCH] Remove proc and sysfs access from system_app and
 platform_app.

Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd
---
 private/compat/26.0/26.0.cil | 3 ++-
 private/domain.te            | 3 ---
 private/genfs_contexts       | 1 +
 private/platform_app.te      | 4 +++-
 private/system_app.te        | 6 +-----
 public/file.te               | 1 +
 6 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 78e7b74f1..a587b4df5 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -476,7 +476,8 @@
     proc_uid_concurrent_policy_time
     proc_uptime
     proc_version
-    proc_vmallocinfo))
+    proc_vmallocinfo
+    proc_vmstat))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/domain.te b/private/domain.te
index 6fef27975..f66185d75 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,9 +25,7 @@ full_treble_only(`
   neverallow {
     coredomain
     -dumpstate
-    -platform_app
     -priv_app
-    -system_app
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;
@@ -38,7 +36,6 @@ full_treble_only(`
     -dumpstate
     -init
     -priv_app
-    -system_app
     -ueventd
     -vold
     -vendor_init
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6be0ff32b..1fddb6eb5 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@ genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
diff --git a/private/platform_app.te b/private/platform_app.te
index 2596a8e16..67a9c3317 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,7 +41,9 @@ allow platform_app vfat:file create_file_perms;
 allow platform_app rootfs:dir getattr;
 
 # com.android.captiveportallogin reads /proc/vmstat
-allow platform_app proc:file r_file_perms;
+allow platform_app {
+  proc_vmstat
+}:file r_file_perms;
 
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index c61bdd92a..cd697a170 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -102,12 +102,8 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-# settings app reads /proc/version and /proc/pagetypeinfo
+# settings app reads /proc/version
 allow system_app {
-  proc
   proc_version
 }:file r_file_perms;
 
diff --git a/public/file.te b/public/file.te
index 56b6c2fe5..d6687460c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -57,6 +57,7 @@ type proc_uid_concurrent_policy_time, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
+type proc_vmstat, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;