Merge "sepolicy: restrict access to uid_cpupower files"

private/compat/26.0/26.0.cil

@@ -479,6 +479,7 @@
     proc_uid_time_in_state
     proc_uid_concurrent_active_time
     proc_uid_concurrent_policy_time
+    proc_uid_cpupower
     proc_uptime
     proc_version
     proc_vmallocinfo

private/genfs_contexts

@@ -78,6 +78,7 @@ genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
 genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
 genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0

private/system_server.te

@@ -718,6 +718,7 @@ allow system_server {
 }:file r_file_perms;
 
 allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
 
 r_dir_file(system_server, rootfs)
 

public/app.te

@@ -547,3 +547,6 @@ neverallow appdomain proc_uid_concurrent_active_time:file *;
 
 # Apps cannot access proc_uid_concurrent_policy_time
 neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;

public/file.te

@@ -56,6 +56,7 @@ type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
 type proc_uid_concurrent_active_time, fs_type;
 type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;