Revert "Allow system to access all cgroups.json files"

Revert submission 3212512

Reason for revert: Droidmonitor created revert due to b/372273614. Will be verifying through ABTD before submission.

Reverted changes: /q/submissionid:3212512

Change-Id: I7ab68d9ab5cd08587add420d4774a2e7f650acc2
diff --git a/private/artd.te b/private/artd.te
index 8ece9bd..15d7969 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -182,9 +182,6 @@
 allow artd { apex_art_data_file odrefresh_data_file }:dir relabelto;
 allow artd { apex_art_data_file odrefresh_data_file pre_reboot_dexopt_artd_file }:dir mounton;
 
-# Read cgroup descriptors so task profiles can be set
-read_all_cgroup_descriptor_files(artd)
-
 # Neverallow rules.
 
 # Never allow running other binaries without a domain transition.
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b739d25..16c1f3d 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -70,9 +70,6 @@
   allow cameraserver su:unix_stream_socket { read write };
 ')
 
-# Read cgroup descriptors so task profiles can be set
-read_all_cgroup_descriptor_files(cameraserver)
-
 ###
 ### neverallow rules
 ###
diff --git a/private/domain.te b/private/domain.te
index dd58ad2..03bcb85 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2064,7 +2064,6 @@
     -vendor_apex_file
     -vendor_apex_metadata_file
     -vendor_boot_ota_file
-    -vendor_cgroup_desc_file
     -vendor_configs_file
     -vendor_microdroid_file
     -vendor_service_contexts_file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 9d276c7..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -309,7 +309,6 @@
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
 r_dir_file(dumpstate, cgroup_v2)
-read_all_cgroup_descriptor_files(dumpstate)
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
diff --git a/private/lmkd.te b/private/lmkd.te
index c92c7db..97dc398 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -53,9 +53,6 @@
 allow lmkd cgroup:file r_file_perms;
 allow lmkd cgroup_v2:file r_file_perms;
 
-# Read cgroup descriptors so task profiles can be set
-read_all_cgroup_descriptor_files(lmkd)
-
 # Set self to SCHED_FIFO
 allow lmkd self:global_capability_class_set sys_nice;
 
diff --git a/private/logd.te b/private/logd.te
index ae5811d..b6e8b27 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -53,7 +53,6 @@
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
 r_dir_file(logd, cgroup_v2)
-read_all_cgroup_descriptor_files(logd)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
 
diff --git a/private/logpersist.te b/private/logpersist.te
index 5faaebd..34022d6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -5,7 +5,6 @@
 
   r_dir_file(logpersist, cgroup)
   r_dir_file(logpersist, cgroup_v2)
-  read_all_cgroup_descriptor_files(logpersist)
 
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/netd.te b/private/netd.te
index 67d90f8e..8b6ea4c 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -94,7 +94,6 @@
 allow netd sysfs_usb:file write;
 
 r_dir_file(netd, cgroup_v2)
-read_all_cgroup_descriptor_files(netd)
 
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a8d1283..f6f1d9b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,7 +114,6 @@
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
 r_dir_file(surfaceflinger, cgroup_v2)
-read_all_cgroup_descriptor_files(surfaceflinger)
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;
diff --git a/private/zygote.te b/private/zygote.te
index 5714a53..4815ecc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -131,7 +131,6 @@
 allow zygote cgroup_v2:dir create_dir_perms;
 allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
 allow zygote self:global_capability_class_set sys_admin;
-read_all_cgroup_descriptor_files(zygote)
 
 # Allow zygote to stat the files that it opens. The zygote must
 # be able to inspect them so that it can reopen them on fork
diff --git a/public/te_macros b/public/te_macros
index 31c13f7..e446f56 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1094,13 +1094,3 @@
 # grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
 dontaudit $1 self:global_capability_class_set ipc_lock;
 ')
-
-####################################
-# read_all_cgroup_descriptor_files(domain)
-# Allow domain to open and read all variants of system and vendor cgroup
-# descriptor files.
-define(`read_all_cgroup_descriptor_files', `
-  allow $1 cgroup_desc_file:file r_file_perms;
-  allow $1 cgroup_desc_api_file:file r_file_perms;
-  allow $1 vendor_cgroup_desc_file:file r_file_perms;
-')