sepolicy: restrict access to uid_cpupower files
Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.
b/71718257
Test: Check that they can't be read from the shell
without root permissions and system_server was able
to read them
Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 184d18d..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -479,6 +479,7 @@
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
+ proc_uid_cpupower
proc_uptime
proc_version
proc_vmallocinfo
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2acaf9f..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -78,6 +78,7 @@
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6ebcab5..642c8bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -718,6 +718,7 @@
}:file r_file_perms;
allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
r_dir_file(system_server, rootfs)