From 3526a6696fdc2b7d3b7a8fe452ce8b287160c42b Mon Sep 17 00:00:00 2001
From: Adam Lesinski <adamlesinski@google.com>
Date: Tue, 12 May 2015 17:14:35 -0700
Subject: [PATCH] Allow system_server to read/write /proc/uid_cputime/ module

Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868
---
 file.te          | 2 ++
 genfs_contexts   | 3 +++
 system_server.te | 6 ++++++
 3 files changed, 11 insertions(+)

diff --git a/file.te b/file.te
index 815c89216..3bbf9a5b4 100644
--- a/file.te
+++ b/file.te
@@ -13,6 +13,8 @@ type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
 type proc_net, fs_type;
 type proc_sysrq, fs_type;
+type proc_uid_cputime_showstat, fs_type;
+type proc_uid_cputime_removeuid, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/genfs_contexts b/genfs_contexts
index 4b16ffc1f..f7967860a 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,9 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
diff --git a/system_server.te b/system_server.te
index 5e0982e2a..fb163970c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -89,6 +89,12 @@ r_dir_file(system_server, domain)
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
 
+# Read /proc/uid_cputime/show_uid_stat.
+allow system_server proc_uid_cputime_showstat:file r_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
-- 
GitLab