From ab8b3dfec5b7156dab6e815e133ad3db02fb43fc Mon Sep 17 00:00:00 2001
From: Alistair Delva <adelva@google.com>
Date: Tue, 9 Mar 2021 11:29:47 -0800
Subject: [PATCH] Add kernel permission for bootconfig proc file

Just before selinux is set up, the kernel context must be allowed to
access the /proc/bootconfig file to read the state of the
androidboot.selinux= property. Such permission was already granted for
accessing the /proc/cmdline file for the same reason.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive
Test: launch_cvd -guest_enforce_security=false [bootconfig method]
[..]
init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.
[..]
Change-Id: I999c0c9d736bed18e5daea81bb0f8cc78350eba7
---
 public/kernel.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/public/kernel.te b/public/kernel.te
index 35018e91e..9aa40ccf1 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,7 +5,12 @@ allow kernel self:global_capability_class_set sys_nice;
 
 # Root fs.
 r_dir_file(kernel, rootfs)
-allow kernel proc_cmdline:file r_file_perms;
+
+# Used to read androidboot.selinux property
+allow kernel {
+  proc_bootconfig
+  proc_cmdline
+}:file r_file_perms;
 
 # Get SELinux enforcing status.
 allow kernel selinuxfs:dir r_dir_perms;