From 828433c89255d5bf25e897d70232b38fbab92e03 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 17 Jan 2017 18:33:50 -0700
Subject: [PATCH] Define policy for /proc/uid_procstat/set.

New procfs file written by the system_server to communicate fg/bg
state of UIDs to switch the statistics counter sets used.

avc: denied { write } for name="set" dev="proc" ino=4026531862 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Test: builds, boots, counter sets updated
Bug: 34360629
Change-Id: I2efbfbba9e73f50ce50a80a3dffd3b14fa55c048
---
 private/genfs_contexts  | 1 +
 public/file.te          | 1 +
 public/system_server.te | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/private/genfs_contexts b/private/genfs_contexts
index f7016851d..638610112 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -32,6 +32,7 @@ genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
diff --git a/public/file.te b/public/file.te
index 8b3b62c83..99c2a9e57 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,6 +23,7 @@ type proc_timer, fs_type;
 type proc_tty_drivers, fs_type;
 type proc_uid_cputime_showstat, fs_type;
 type proc_uid_cputime_removeuid, fs_type;
+type proc_uid_procstat_set, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
diff --git a/public/system_server.te b/public/system_server.te
index ee552630b..f36fa9f1b 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -112,6 +112,9 @@ allow system_server proc_uid_cputime_showstat:file r_file_perms;
 # Write /proc/uid_cputime/remove_uid_range.
 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
-- 
GitLab