undeprecate /proc/cpuinfo, more shell permissions
Access to /proc/cpuinfo was moved to domain_deprecated in commit6e3506e1ba. Restore access to everyone. Allow the shell user to stat() /dev, and vfsstat() /proc and other labeled filesystems such as /system and /data. Access to /proc/cpuinfo was explicitly granted to bootanim, but is no longer required after moving it back to domain.te. Delete the redundant entry. Commit4e2d22451frestored access to /sys/devices/system/cpu for all domains, but forgot to remove the redundant entry from bootanim.te. Cleanup the redundant entry. Addresses the following denials: avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0 avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0 avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0 avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 Bug: 26295417 Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
This commit is contained in:
Nick Kralevich
parent
9c5b4a8a44
commit
f8f937a16f
4 changed files with 10 additions and 3 deletions
|
|
@ -28,9 +28,7 @@ allow bootanim ion_device:chr_file rw_file_perms;
|
|||
# Read access to pseudo filesystems.
|
||||
r_dir_file(bootanim, proc)
|
||||
r_dir_file(bootanim, sysfs)
|
||||
r_dir_file(bootanim, sysfs_devices_system_cpu)
|
||||
r_dir_file(bootanim, cgroup)
|
||||
allow bootanim proc_cpuinfo:file r_file_perms;
|
||||
|
||||
# System file accesses.
|
||||
allow bootanim system_file:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -109,6 +109,9 @@ allow domain system_data_file:lnk_file read;
|
|||
# required by the dynamic linker
|
||||
allow domain proc:lnk_file read;
|
||||
|
||||
# /proc/cpuinfo
|
||||
allow domain proc_cpuinfo:file r_file_perms;
|
||||
|
||||
# toybox loads libselinux which stats /sys/fs/selinux/
|
||||
allow domain selinuxfs:file getattr;
|
||||
allow domain sysfs:dir search;
|
||||
|
|
|
|||
|
|
@ -66,7 +66,6 @@ r_dir_file(domain_deprecated, sysfs)
|
|||
r_dir_file(domain_deprecated, inotify)
|
||||
r_dir_file(domain_deprecated, cgroup)
|
||||
r_dir_file(domain_deprecated, proc_net)
|
||||
allow domain_deprecated proc_cpuinfo:file r_file_perms;
|
||||
|
||||
# Get SELinux enforcing status.
|
||||
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
||||
|
|
|
|||
7
shell.te
7
shell.te
|
|
@ -96,6 +96,13 @@ r_dir_file(shell, cgroup)
|
|||
allow shell domain:dir { search open read getattr };
|
||||
allow shell domain:{ file lnk_file } { open read getattr };
|
||||
|
||||
# statvfs() of /proc and other labeled filesystems
|
||||
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
|
||||
allow shell { proc labeledfs }:filesystem getattr;
|
||||
|
||||
# stat() of /dev
|
||||
allow shell device:dir getattr;
|
||||
|
||||
# allow shell to read /proc/pid/attr/current for ps -Z
|
||||
allow shell domain:process getattr;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue