From 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 10 Dec 2015 11:10:20 -0800
Subject: [PATCH] Restore sysfs_devices_system_cpu to domain.te

Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.

Addresses the following denials:

adbd    : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd    : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1

Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35
---
 domain.te            | 3 +++
 domain_deprecated.te | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index aaf2d0a04..c910c7069 100644
--- a/domain.te
+++ b/domain.te
@@ -99,6 +99,9 @@ allow domain system_file:lnk_file read;
 # libc references /data/misc/zoneinfo for timezone related information
 r_dir_file(domain, zoneinfo_data_file)
 
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
 # files under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:lnk_file read;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 5fbeb60cb..269fe5bbd 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -63,7 +63,6 @@ allow domain_deprecated ion_device:chr_file rw_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, sysfs_devices_system_cpu)
 r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 r_dir_file(domain_deprecated, proc_net)
-- 
GitLab