Allow system to access all cgroups.json files
libprocessgroup now reads cgroup descriptor files instead of cgroup.rc
which was removed. This is performed from only a few contexts, so allow
them here.
Bug: 349105928
Test: presubmit
Change-Id: I397f7fcaa02b89311e07cb27ca4bac1ec3718b4c
diff --git a/private/artd.te b/private/artd.te
index 15d7969..8ece9bd 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -182,6 +182,9 @@
allow artd { apex_art_data_file odrefresh_data_file }:dir relabelto;
allow artd { apex_art_data_file odrefresh_data_file pre_reboot_dexopt_artd_file }:dir mounton;
+# Read cgroup descriptors so task profiles can be set
+read_all_cgroup_descriptor_files(artd)
+
# Neverallow rules.
# Never allow running other binaries without a domain transition.
diff --git a/private/cameraserver.te b/private/cameraserver.te
index 16c1f3d..b739d25 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -70,6 +70,9 @@
allow cameraserver su:unix_stream_socket { read write };
')
+# Read cgroup descriptors so task profiles can be set
+read_all_cgroup_descriptor_files(cameraserver)
+
###
### neverallow rules
###
diff --git a/private/domain.te b/private/domain.te
index 03bcb85..dd58ad2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2064,6 +2064,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13b7b9f..9d276c7 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -309,6 +309,7 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
r_dir_file(dumpstate, cgroup_v2)
+read_all_cgroup_descriptor_files(dumpstate)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/private/lmkd.te b/private/lmkd.te
index 97dc398..c92c7db 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -53,6 +53,9 @@
allow lmkd cgroup:file r_file_perms;
allow lmkd cgroup_v2:file r_file_perms;
+# Read cgroup descriptors so task profiles can be set
+read_all_cgroup_descriptor_files(lmkd)
+
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/private/logd.te b/private/logd.te
index b6e8b27..ae5811d 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -53,6 +53,7 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, cgroup_v2)
+read_all_cgroup_descriptor_files(logd)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/private/logpersist.te b/private/logpersist.te
index 34022d6..5faaebd 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -5,6 +5,7 @@
r_dir_file(logpersist, cgroup)
r_dir_file(logpersist, cgroup_v2)
+ read_all_cgroup_descriptor_files(logpersist)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/netd.te b/private/netd.te
index 8b6ea4c..67d90f8e 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -94,6 +94,7 @@
allow netd sysfs_usb:file write;
r_dir_file(netd, cgroup_v2)
+read_all_cgroup_descriptor_files(netd)
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f6f1d9b..a8d1283 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,6 +114,7 @@
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, cgroup_v2)
+read_all_cgroup_descriptor_files(surfaceflinger)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/zygote.te b/private/zygote.te
index 4815ecc..5714a53 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -131,6 +131,7 @@
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
+read_all_cgroup_descriptor_files(zygote)
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
diff --git a/public/te_macros b/public/te_macros
index e446f56..31c13f7 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1094,3 +1094,13 @@
# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
dontaudit $1 self:global_capability_class_set ipc_lock;
')
+
+####################################
+# read_all_cgroup_descriptor_files(domain)
+# Allow domain to open and read all variants of system and vendor cgroup
+# descriptor files.
+define(`read_all_cgroup_descriptor_files', `
+ allow $1 cgroup_desc_file:file r_file_perms;
+ allow $1 cgroup_desc_api_file:file r_file_perms;
+ allow $1 vendor_cgroup_desc_file:file r_file_perms;
+')