Restrict /proc/sys/vm/mmap_rnd_bits

Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by init. This also tightens the neverallow restrictions for proc_security. Bug: 33563834 Test: run cts -m CtsPermissionTestCases -t \ android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410
2017-02-23 14:40:56 -08:00 · 2017-02-23 14:40:56 -08:00 · 64a0503831
commit 64a0503831
parent 38dc1e2230
2 changed files with 3 additions and 1 deletions
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@ -26,6 +26,8 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
 genfscon proc /timer_list u:object_r:proc_timer:s0
--- a/public/domain.te
+++ b/public/domain.te
@ -251,7 +251,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };

 # No domain should be allowed to ptrace init.
 neverallow * init:process ptrace;