From 4dc88795d0906148e3414688fa81481b4edaacff Mon Sep 17 00:00:00 2001
From: Andres Oportus <andresoportus@google.com>
Date: Wed, 7 Jun 2017 10:39:11 -0700
Subject: [PATCH] Allow only system_server to read uid_time_in_state

Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
---
 private/genfs_contexts   | 1 +
 private/system_server.te | 3 +++
 public/file.te           | 1 +
 3 files changed, 5 insertions(+)

diff --git a/private/genfs_contexts b/private/genfs_contexts
index dfd8d9ccd..2d9766797 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -40,6 +40,7 @@ genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
diff --git a/private/system_server.te b/private/system_server.te
index 2bfd4cda6..243ad2316 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -130,6 +130,9 @@ allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 # Write /proc/uid_procstat/set.
 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
 
+# Read /proc/uid_time_in_state.
+allow system_server proc_uid_time_in_state:file r_file_perms;
+
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
diff --git a/public/file.te b/public/file.te
index bf8223a5e..943b55fea 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@ type proc_uid_cputime_showstat, fs_type;
 type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
+type proc_uid_time_in_state, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
-- 
GitLab