Skip to content
Snippets Groups Projects
Commit dfe063c3 authored by Marissa Wall's avatar Marissa Wall
Browse files

sepolicy: restrict access to uid_cpupower files 

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
parent cf391269
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/compat/26.0/26.0.cil
+ 1
0
View file @ dfe063c3
...@@ -479,6 +479,7 @@ ...@@ -479,6 +479,7 @@
proc_uid_time_in_state proc_uid_time_in_state
proc_uid_concurrent_active_time proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time proc_uid_concurrent_policy_time
proc_uid_cpupower
proc_uptime proc_uptime
proc_version proc_version
proc_vmallocinfo proc_vmallocinfo
......
private/genfs_contexts
+ 1
0
View file @ dfe063c3
...@@ -78,6 +78,7 @@ genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0 ...@@ -78,6 +78,7 @@ genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0 genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0 genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
......
private/system_server.te
+ 1
0
View file @ dfe063c3
...@@ -718,6 +718,7 @@ allow system_server { ...@@ -718,6 +718,7 @@ allow system_server {
}:file r_file_perms; }:file r_file_perms;
allow system_server proc_uid_time_in_state:dir r_dir_perms; allow system_server proc_uid_time_in_state:dir r_dir_perms;
allow system_server proc_uid_cpupower:file r_file_perms;
r_dir_file(system_server, rootfs) r_dir_file(system_server, rootfs)
......
public/app.te
+ 3
0
View file @ dfe063c3
...@@ -547,3 +547,6 @@ neverallow appdomain proc_uid_concurrent_active_time:file *; ...@@ -547,3 +547,6 @@ neverallow appdomain proc_uid_concurrent_active_time:file *;
# Apps cannot access proc_uid_concurrent_policy_time # Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *; neverallow appdomain proc_uid_concurrent_policy_time:file *;
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
public/file.te
+ 1
0
View file @ dfe063c3
...@@ -56,6 +56,7 @@ type proc_uid_procstat_set, fs_type; ...@@ -56,6 +56,7 @@ type proc_uid_procstat_set, fs_type;
type proc_uid_time_in_state, fs_type; type proc_uid_time_in_state, fs_type;
type proc_uid_concurrent_active_time, fs_type; type proc_uid_concurrent_active_time, fs_type;
type proc_uid_concurrent_policy_time, fs_type; type proc_uid_concurrent_policy_time, fs_type;
type proc_uid_cpupower, fs_type;
type proc_uptime, fs_type; type proc_uptime, fs_type;
type proc_version, fs_type; type proc_version, fs_type;
type proc_vmallocinfo, fs_type; type proc_vmallocinfo, fs_type;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment