From 640e595a68713d6d09eab4c436780498c46cdbcb Mon Sep 17 00:00:00 2001
From: Luis Hector Chavez <lhchavez@google.com>
Date: Thu, 2 Nov 2017 15:52:40 -0700
Subject: [PATCH] Allow callers of uevent_kernel_*() access to
 /proc/sys/kernel/overflowuid

Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd
---
 private/compat/26.0/26.0.cil | 1 +
 private/genfs_contexts       | 1 +
 public/file.te               | 1 +
 public/hal_usb.te            | 1 +
 public/healthd.te            | 1 +
 public/init.te               | 3 +++
 public/netd.te               | 3 +++
 public/ueventd.te            | 3 +++
 public/vold.te               | 1 +
 9 files changed, 15 insertions(+)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ebb66ee6..1ebab61f4 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -455,6 +455,7 @@
     proc_kmsg
     proc_loadavg
     proc_mounts
+    proc_overflowuid
     proc_page_cluster
     proc_pagetypeinfo
     proc_random
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a6de59a6d..ee17d498c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -31,6 +31,7 @@ genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/random u:object_r:proc_random:s0
diff --git a/public/file.te b/public/file.te
index 9057c1976..37ebde4d6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -26,6 +26,7 @@ type proc_misc, fs_type;
 type proc_modules, fs_type;
 type proc_mounts, fs_type;
 type proc_net, fs_type;
+type proc_overflowuid, fs_type;
 type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd5165d..e2e3449b8 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -15,4 +15,5 @@ allow hal_usb sysfs:file read;
 allow hal_usb sysfs:file open;
 allow hal_usb sysfs:file write;
 allow hal_usb sysfs:file getattr;
+allow hal_usb proc_overflowuid:file r_file_perms;
 
diff --git a/public/healthd.te b/public/healthd.te
index c0a7bec7b..e7c92c441 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -55,6 +55,7 @@ allow healthd tty_device:chr_file rw_file_perms;
 allow healthd ashmem_device:chr_file execute;
 allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
+allow healthd proc_overflowuid:file r_file_perms;
 
 add_service(healthd, batteryproperties_service)
 
diff --git a/public/init.te b/public/init.te
index 2d55aba16..bc10a82bd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -280,6 +280,9 @@ allow init proc_cmdline:file r_file_perms;
 # Write to /proc/sys/vm/page-cluster
 allow init proc_page_cluster:file w_file_perms;
 
+# Read /proc/sys/kernel/overflowuid
+allow init proc_overflowuid:file r_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;
 
diff --git a/public/netd.te b/public/netd.te
index a1917b373..17f60b559 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -37,6 +37,9 @@ r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;
 
+# Access for /proc/sys/kernel/overflowuid.
+allow netd proc_overflowuid:file r_file_perms;
+
 # Enables PppController and interface enumeration (among others)
 allow netd sysfs:dir r_dir_perms;
 r_dir_file(netd, sysfs_net)
diff --git a/public/ueventd.te b/public/ueventd.te
index 212087e52..7e1f3fd5f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -36,6 +36,9 @@ allow ueventd file_contexts_file:file r_file_perms;
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 
+# Access for /proc/sys/kernel/overflowuid.
+allow ueventd proc_overflowuid:file r_file_perms;
+
 #####
 ##### neverallow rules
 #####
diff --git a/public/vold.te b/public/vold.te
index 2c2f14705..148f4b541 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -24,6 +24,7 @@ allow vold {
   proc_filesystems
   proc_meminfo
   proc_mounts
+  proc_overflowuid
 }:file r_file_perms;
 
 #Get file contexts