Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / dfe063c37dec77f158da06eb21ade5c490949486^! / .
commitdfe063c37dec77f158da06eb21ade5c490949486[log] [tgz]
authorMarissa Wall <marissaw@google.com>Fri Jan 19 13:48:31 2018 -0800
committerMarissa Wall <marissaw@google.com>Wed Jan 24 08:39:09 2018 -0800
tree25bbe3504dca5e63bd653c3bffe1a4207860394b
parentcf391269acd6ff71fe254d2f62d9c82571dd24bf [diff]
sepolicy: restrict access to uid_cpupower files

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 184d18d..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil

@@ -479,6 +479,7 @@
     proc_uid_time_in_state
     proc_uid_concurrent_active_time
     proc_uid_concurrent_policy_time
+    proc_uid_cpupower
     proc_uptime
     proc_version
     proc_vmallocinfo

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2acaf9f..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -78,6 +78,7 @@
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0

diff --git a/private/system_server.te b/private/system_server.te
index 6ebcab5..642c8bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -718,6 +718,7 @@
 }:file r_file_perms;
 
 allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
 
 r_dir_file(system_server, rootfs)
 

diff --git a/public/app.te b/public/app.te
index 582995a..3c29946 100644
--- a/public/app.te
+++ b/public/app.te

@@ -547,3 +547,6 @@
 
 # Apps cannot access proc_uid_concurrent_policy_time
 neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;

diff --git a/public/file.te b/public/file.te
index fc55412..02a4360 100644
--- a/public/file.te
+++ b/public/file.te

@@ -56,6 +56,7 @@
 type proc_uid_time_in_state, fs_type;
 type proc_uid_concurrent_active_time, fs_type;
 type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;