Merge "fine-grained policy for access to /proc/zoneinfo"

dumpstate.te

@@ -144,3 +144,4 @@ allow dumpstate debugfs_trace_marker:file getattr;
 allow dumpstate atrace_exec:file rx_file_perms;
 
 allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;

file.te

@@ -22,6 +22,7 @@ type proc_sysrq, fs_type;
 type proc_timer, fs_type;
 type proc_uid_cputime_showstat, fs_type;
 type proc_uid_cputime_removeuid, fs_type;
+type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;

genfs_contexts

@@ -31,6 +31,7 @@ genfscon proc /timer_list u:object_r:proc_timer:s0
 genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0

lmkd.te

@@ -32,6 +32,8 @@ allow lmkd cgroup:dir { remove_name rmdir };
 # Set self to SCHED_FIFO
 allow lmkd self:capability sys_nice;
 
+allow lmkd proc_zoneinfo:file r_file_perms;
+
 ### neverallow rules
 
 # never honor LD_PRELOAD

shell.te

@@ -93,6 +93,7 @@ allow shell proc_interrupts:file r_file_perms;
 allow shell proc_meminfo:file r_file_perms;
 allow shell proc_stat:file r_file_perms;
 allow shell proc_timer:file r_file_perms;
+allow shell proc_zoneinfo:file r_file_perms;
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };