From 80ee23f74a6107c9a5e7cf4144a72d4befe950d1 Mon Sep 17 00:00:00 2001
From: Marissa Wall <marissaw@google.com>
Date: Fri, 10 Nov 2017 14:10:19 -0800
Subject: [PATCH] Restrict access to uid_concurrent_*_time

Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06
---
 private/app.te               | 9 +++++++++
 private/app_neverallows.te   | 3 ---
 private/compat/26.0/26.0.cil | 2 ++
 private/genfs_contexts       | 2 ++
 private/system_server.te     | 2 ++
 public/file.te               | 2 ++
 public/vendor_init.te        | 4 ++++
 7 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/private/app.te b/private/app.te
index b79f447f1..d86d95f33 100644
--- a/private/app.te
+++ b/private/app.te
@@ -541,3 +541,12 @@ neverallow {
   -bluetooth
   -system_app
 } bluetooth_prop:file create_file_perms;
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 53638f7df..c4cbfd859 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -127,9 +127,6 @@ neverallow all_untrusted_apps {
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
 
-# Only system_server can access proc_uid_time_in_state
-neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
-
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index f7338c6eb..51eab2305 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -473,6 +473,8 @@
     proc_sched
     proc_swaps
     proc_uid_time_in_state
+    proc_uid_concurrent_active_time
+    proc_uid_concurrent_policy_time
     proc_uptime
     proc_version
     proc_vmallocinfo))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8e24f75f8..e0cafa48b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -74,6 +74,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2102391ce..7b0aad150 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -694,6 +694,8 @@ allow system_server {
   proc_stat
   proc_uid_cputime_showstat
   proc_uid_time_in_state
+  proc_uid_concurrent_active_time
+  proc_uid_concurrent_policy_time
   proc_version
   proc_vmallocinfo
 }:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index d8677e8ab..339f57d96 100644
--- a/public/file.te
+++ b/public/file.te
@@ -52,6 +52,8 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_uid_concurrent_active_time, fs_type;
+type proc_uid_concurrent_policy_time, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 5b9d09f44..ace58abe7 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -164,6 +164,8 @@ allow vendor_init {
   -sdcard_type
   -rootfs
   -proc_uid_time_in_state
+  -proc_uid_concurrent_active_time
+  -proc_uid_concurrent_policy_time
 }:file { open read setattr };
 
 allow vendor_init {
@@ -172,6 +174,8 @@ allow vendor_init {
   -sdcard_type
   -rootfs
   -proc_uid_time_in_state
+  -proc_uid_concurrent_active_time
+  -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };
 
 # chown/chmod on devices, e.g. /dev/ttyHS0
-- 
GitLab