Revert "Allow system to access all cgroups.json files"
Revert submission 3212512
Reason for revert: Droidmonitor created revert due to b/372273614. Will be verifying through ABTD before submission.
Reverted changes: /q/submissionid:3212512
Change-Id: I7ab68d9ab5cd08587add420d4774a2e7f650acc2
diff --git a/private/artd.te b/private/artd.te
index 8ece9bd..15d7969 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -182,9 +182,6 @@
allow artd { apex_art_data_file odrefresh_data_file }:dir relabelto;
allow artd { apex_art_data_file odrefresh_data_file pre_reboot_dexopt_artd_file }:dir mounton;
-# Read cgroup descriptors so task profiles can be set
-read_all_cgroup_descriptor_files(artd)
-
# Neverallow rules.
# Never allow running other binaries without a domain transition.
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b739d25..16c1f3d 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -70,9 +70,6 @@
allow cameraserver su:unix_stream_socket { read write };
')
-# Read cgroup descriptors so task profiles can be set
-read_all_cgroup_descriptor_files(cameraserver)
-
###
### neverallow rules
###
diff --git a/private/domain.te b/private/domain.te
index dd58ad2..03bcb85 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2064,7 +2064,6 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
- -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 9d276c7..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -309,7 +309,6 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
r_dir_file(dumpstate, cgroup_v2)
-read_all_cgroup_descriptor_files(dumpstate)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/private/lmkd.te b/private/lmkd.te
index c92c7db..97dc398 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -53,9 +53,6 @@
allow lmkd cgroup:file r_file_perms;
allow lmkd cgroup_v2:file r_file_perms;
-# Read cgroup descriptors so task profiles can be set
-read_all_cgroup_descriptor_files(lmkd)
-
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/private/logd.te b/private/logd.te
index ae5811d..b6e8b27 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -53,7 +53,6 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, cgroup_v2)
-read_all_cgroup_descriptor_files(logd)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/private/logpersist.te b/private/logpersist.te
index 5faaebd..34022d6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -5,7 +5,6 @@
r_dir_file(logpersist, cgroup)
r_dir_file(logpersist, cgroup_v2)
- read_all_cgroup_descriptor_files(logpersist)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/netd.te b/private/netd.te
index 67d90f8e..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -94,7 +94,6 @@
allow netd sysfs_usb:file write;
r_dir_file(netd, cgroup_v2)
-read_all_cgroup_descriptor_files(netd)
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a8d1283..f6f1d9b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,7 +114,6 @@
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, cgroup_v2)
-read_all_cgroup_descriptor_files(surfaceflinger)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/zygote.te b/private/zygote.te
index 5714a53..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -131,7 +131,6 @@
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
-read_all_cgroup_descriptor_files(zygote)
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
diff --git a/public/te_macros b/public/te_macros
index 31c13f7..e446f56 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1094,13 +1094,3 @@
# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
dontaudit $1 self:global_capability_class_set ipc_lock;
')
-
-####################################
-# read_all_cgroup_descriptor_files(domain)
-# Allow domain to open and read all variants of system and vendor cgroup
-# descriptor files.
-define(`read_all_cgroup_descriptor_files', `
- allow $1 cgroup_desc_file:file r_file_perms;
- allow $1 cgroup_desc_api_file:file r_file_perms;
- allow $1 vendor_cgroup_desc_file:file r_file_perms;
-')