Restrict access to uid_concurrent_*_time
Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.
b/68399339
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
diff --git a/private/app.te b/private/app.te
index b79f447..d86d95f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -541,3 +541,12 @@
-bluetooth
-system_app
} bluetooth_prop:file create_file_perms;
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 53638f7..c4cbfd8 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -127,9 +127,6 @@
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-# Only system_server can access proc_uid_time_in_state
-neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
-
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index f7338c6..51eab23 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -473,6 +473,8 @@
proc_sched
proc_swaps
proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
proc_uptime
proc_version
proc_vmallocinfo))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8e24f75..e0cafa4 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -74,6 +74,8 @@
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2102391..7b0aad1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -694,6 +694,8 @@
proc_stat
proc_uid_cputime_showstat
proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
proc_version
proc_vmallocinfo
}:file r_file_perms;