Restore sysfs_devices_system_cpu to domain.te
Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.
Addresses the following denials:
adbd : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35
diff --git a/domain.te b/domain.te
index aaf2d0a..c910c70 100644
--- a/domain.te
+++ b/domain.te
@@ -99,6 +99,9 @@
# libc references /data/misc/zoneinfo for timezone related information
r_dir_file(domain, zoneinfo_data_file)
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
# files under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:lnk_file read;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 5fbeb60..269fe5b 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -63,7 +63,6 @@
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, sysfs_devices_system_cpu)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
r_dir_file(domain_deprecated, proc_net)