I don't see any security implications, to be actually useful,
/dev/cpu/<n>/cpuid should be world readable. The cpuid instruction
can be called from userspace anyway, so there is nothing to hide.
The device does not support any write operation, so 0444 should
suffice.
Signed-off-by: Andre Przywara <andre.przywara@amd.com>
KERNEL=="tun", NAME="net/%k", MODE="0666"
# CPU
-KERNEL=="cpu[0-9]*", NAME="cpu/%n/cpuid"
+KERNEL=="cpu[0-9]*", NAME="cpu/%n/cpuid", MODE="0444"
KERNEL=="msr[0-9]*", NAME="cpu/%n/msr"
KERNEL=="microcode", NAME="cpu/microcode", MODE="0600"