From 4016330115d3af25c94161084fb3f77dce3ba80c Mon Sep 17 00:00:00 2001
From: Andres Oportus <andresoportus@google.com>
Date: Fri, 4 Aug 2017 09:38:38 -0700
Subject: [PATCH] Add neverallow rule for uid_time_in_state

Bug: 62706738
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Signed-off-by: Andres Oportus <andresoportus@google.com>
Change-Id: Id0780f2464f17d49f06a7bf3158eae7363efb468
---
 private/app_neverallows.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 46c7e2225..26fe3d0e2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -113,6 +113,9 @@ neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
 
+# Only system_server can access proc_uid_time_in_state
+neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 
-- 
GitLab