snapuserd: sepolicy for setting task-profiles Post OTA reboot, snapshot-merge threads will be run in the background cgroup so that they don't run on big cores. Hence, use SetTaskProfiles() API to move the thread to the relavant cgroup. When setting SetTaskProfile API, /dev/cpuset/background/tasks path is accessed which requires process to be in system group. Use setgid to move the task to system group. Bug: 311233916 Test: OTA on Pixel 6 - Verify that merge threads are not run on big cores Change-Id: Ie4921910985292b0b05f4ffc70b0d08ad9e4a662 Signed-off-by: Akilesh Kailash <akailash@google.com>

commit: 047bc6669f60fef90be4331983d2d5683ffbb076 [log] [tgz]
author: Akilesh Kailash <akailash@google.com> Sun Nov 26 14:02:58 2023 -0800
committer: Akilesh Kailash <akailash@google.com> Fri Dec 29 23:02:17 2023 +0000
tree: a9332a61852006cc41a884fa1e9f5b836ef95bdd
parent: 24d52ac42ae775ea98e276c73d8f84fc987ad968 [diff]
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 8cd9e63..3752e01 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -33,6 +33,9 @@
 allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
 allow snapuserd snapuserd_proxy_socket:sock_file write;
 
+# Required for setting GID to system while calling SetTaskProfile() API
+allow snapuserd self:global_capability_class_set { setgid };
+
 # This arises due to first-stage init opening /dev/null without F_CLOEXEC
 # (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
 # again, the descriptor leaks into the new process.
commit	047bc6669f60fef90be4331983d2d5683ffbb076	[log] [tgz]
author	Akilesh Kailash <akailash@google.com>	Sun Nov 26 14:02:58 2023 -0800
committer	Akilesh Kailash <akailash@google.com>	Fri Dec 29 23:02:17 2023 +0000
tree	a9332a61852006cc41a884fa1e9f5b836ef95bdd
parent	24d52ac42ae775ea98e276c73d8f84fc987ad968 [diff]