From 840d4f3bf3a3bf15a65b57210eca9d3a267ba99f Mon Sep 17 00:00:00 2001
From: Devin Moore <devinmoore@google.com>
Date: Wed, 17 Feb 2021 09:30:52 -0800
Subject: [PATCH] Add sepolicy for /proc/bootconfig

Vendor boot hal, init, and vold processes all require permission.

Test: build and boot aosp_cf_x86_64_phone
Bug: 173815685
Change-Id: I15692dcd39dfc9c3a3b7d8c12d03eff0a7c96f72
---
 private/compat/30.0/30.0.cil | 4 +++-
 private/genfs_contexts       | 1 +
 public/file.te               | 1 +
 public/hal_bootctl.te        | 1 +
 public/init.te               | 2 ++
 public/vold.te               | 1 +
 6 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 3830fc085..9dff2c6a6 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1809,7 +1809,9 @@
 (typeattributeset print_service_30_0 (print_service))
 (typeattributeset priv_app_30_0 (priv_app))
 (typeattributeset privapp_data_file_30_0 (privapp_data_file))
-(typeattributeset proc_30_0 (proc))
+(typeattributeset proc_30_0
+  ( proc
+    proc_bootconfig))
 (typeattributeset proc_abi_30_0 (proc_abi))
 (typeattributeset proc_asound_30_0 (proc_asound))
 (typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 92020e1c9..21a1ae9f8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
diff --git a/public/file.te b/public/file.te
index 8426ad6c4..4e17f12fc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -21,6 +21,7 @@ type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
 type proc_bluetooth_writable, fs_type, proc_type;
 type proc_abi, fs_type, proc_type;
 type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index be9975f89..a1f3d7fe4 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,3 +3,4 @@ binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
+allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/public/init.te b/public/init.te
index fdb169498..1287ca3e3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -350,6 +350,7 @@ userdebug_or_eng(`
 
 allow init {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+  proc_bootconfig
   proc_cmdline
   proc_diskstats
   proc_kmsg # Open /proc/kmsg for logd service.
@@ -383,6 +384,7 @@ allow init {
 # init chmod/chown access to /proc files.
 allow init {
   proc_cmdline
+  proc_bootconfig
   proc_kmsg
   proc_net
   proc_pagetypeinfo
diff --git a/public/vold.te b/public/vold.te
index 030e57214..b6d144392 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -23,6 +23,7 @@ r_dir_file(vold, rootfs)
 r_dir_file(vold, metadata_file)
 allow vold {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+  proc_bootconfig
   proc_cmdline
   proc_drop_caches
   proc_filesystems