Add neverallow rule for uid_time_in_state

Bug: 62706738 Test: Check that uid_time_in_state can't be read from the shell without root permissions and that "dumpsys batterystats --checkin| grep ctf" shows frequency data (system_server was able to read uid_time_in_state) Signed-off-by: Andres Oportus <andresoportus@google.com> Change-Id: Id0780f2464f17d49f06a7bf3158eae7363efb468

Add neverallow rule for uid_time_in_state
Bug: 62706738 Test: Check that uid_time_in_state can't be read from the shell without root permissions and that "dumpsys batterystats --checkin| grep ctf" shows frequency data (system_server was able to read uid_time_in_state) Signed-off-by: Andres Oportus <andresoportus@google.com> Change-Id: Id0780f2464f17d49f06a7bf3158eae7363efb468
40163301 · Andres Oportus · 0b7b849e · 40163301
Commit 40163301 authored 7 years ago by Andres Oportus
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -113,6 +113,9 @@ neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+# Only system_server can access proc_uid_time_in_state
+neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;