From dfe063c37dec77f158da06eb21ade5c490949486 Mon Sep 17 00:00:00 2001
From: Marissa Wall <marissaw@google.com>
Date: Fri, 19 Jan 2018 13:48:31 -0800
Subject: [PATCH] sepolicy: restrict access to uid_cpupower files

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15
---
 private/compat/26.0/26.0.cil | 1 +
 private/genfs_contexts       | 1 +
 private/system_server.te     | 1 +
 public/app.te                | 3 +++
 public/file.te               | 1 +
 5 files changed, 7 insertions(+)

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 184d18d64..9dd2ee73f 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -479,6 +479,7 @@
     proc_uid_time_in_state
     proc_uid_concurrent_active_time
     proc_uid_concurrent_policy_time
+    proc_uid_cpupower
     proc_uptime
     proc_version
     proc_vmallocinfo
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2acaf9f72..8f0d489ab 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -78,6 +78,7 @@ genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6ebcab5e1..642c8bd0e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -718,6 +718,7 @@ allow system_server {
 }:file r_file_perms;
 
 allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
 
 r_dir_file(system_server, rootfs)
 
diff --git a/public/app.te b/public/app.te
index 582995a56..3c29946c8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -547,3 +547,6 @@ neverallow appdomain proc_uid_concurrent_active_time:file *;
 
 # Apps cannot access proc_uid_concurrent_policy_time
 neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/public/file.te b/public/file.te
index fc554121e..02a43608e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -56,6 +56,7 @@ type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
 type proc_uid_concurrent_active_time, fs_type;
 type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
-- 
GitLab