Restrict access to uid_concurrent_*_time

Do not let apps read uid_concurrent_active_time and uid_concurrent_policy_time. b/68399339 Test: Check that they can't be read from the shell without root permissions and system_server was able to read them Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06

Restrict access to uid_concurrent_*_time
80ee23f7 · Marissa Wall · Jeffrey Vander Stoep · e9ae7735 · 80ee23f7 · 80ee23f7
Commit 80ee23f7 authored 7 years ago by Marissa Wall Committed by Jeffrey Vander Stoep 7 years ago
--- a/private/app.te
+++ b/private/app.te
@@ -541,3 +541,12 @@ neverallow {
  -bluetooth
  -system_app
 } bluetooth_prop:file create_file_perms;
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -127,9 +127,6 @@ neverallow all_untrusted_apps {
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };

-# Only system_server can access proc_uid_time_in_state
-neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
-
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;


--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -473,6 +473,8 @@
    proc_sched
    proc_swaps
    proc_uid_time_in_state
+    proc_uid_concurrent_active_time
+    proc_uid_concurrent_policy_time
    proc_uptime
    proc_version
    proc_vmallocinfo))

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -74,6 +74,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -694,6 +694,8 @@ allow system_server {
  proc_stat
  proc_uid_cputime_showstat
  proc_uid_time_in_state
+  proc_uid_concurrent_active_time
+  proc_uid_concurrent_policy_time
  proc_version
  proc_vmallocinfo
 }:file r_file_perms;

--- a/public/file.te
+++ b/public/file.te
@@ -52,6 +52,8 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_uid_concurrent_active_time, fs_type;
+type proc_uid_concurrent_policy_time, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -164,6 +164,8 @@ allow vendor_init {
  -sdcard_type
  -rootfs
  -proc_uid_time_in_state
+  -proc_uid_concurrent_active_time
+  -proc_uid_concurrent_policy_time
 }:file { open read setattr };

 allow vendor_init {
@@ -172,6 +174,8 @@ allow vendor_init {
  -sdcard_type
  -rootfs
  -proc_uid_time_in_state
+  -proc_uid_concurrent_active_time
+  -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };

 # chown/chmod on devices, e.g. /dev/ttyHS0