commit 37f1a137b673bb963a5bd65cde8b0ca81fd366c7
author Suren Baghdasaryan <surenb@google.com> Fri Nov 20 18:57:36 2020 -0800
committer Suren Baghdasaryan <surenb@google.com> Mon Nov 23 09:30:26 2020 -0800
tree 53bb3231c36c3dbea7f4f06c291aa2b4c616decd
parent a2028972db9849a82488fe2748dd4971cc4a4920

Add rules for per-API level task profiles and cgroup description files

Define access rights to new per-API level task profiles and cgroup
description files under /etc/task_profiles/.

Bug: 172066799
Test: boot with per-API task profiles
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I04c9929fdffe33a9fc82d431a53f47630f9dcfc3

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f89f2e2..78b7929 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,7 @@
     ab_update_gki_prop
     adbd_config_prop
     apex_info_file
+    cgroup_desc_api_file
     cgroup_v2
     ctl_snapuserd_prop
     debugfs_kprobes
@@ -46,6 +47,7 @@
     sysfs_devices_cs_etm
     system_server_dumper_service
     system_suspend_control_internal_service
+    task_profiles_api_file
     update_engine_stable_service
     userspace_reboot_metadata_file
     vcn_management_service

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 6cf102f..84fa107 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -57,6 +57,7 @@
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
 allow domain vendor_task_profiles_file:file r_file_perms;
 
 # Allow all domains to read sys.use_memfd to determine

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 7f8aef3..d39b349 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -322,6 +322,7 @@
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:system_suspend_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
 /system/etc/group                       u:object_r:system_group_file:s0
 /system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
@@ -339,6 +340,7 @@
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/etc/task_profiles\.json  u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json  u:object_r:task_profiles_api_file:s0
 /system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index d4f5a85..d4274e1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1039,6 +1039,7 @@
     -system_seccomp_policy_file
     -system_security_cacerts_file
     -system_zoneinfo_file
+    -task_profiles_api_file
     -task_profiles_file
     userdebug_or_eng(`-tcpdump_exec')
   }:file *;

public/file.te

diff --git a/public/file.te b/public/file.te
index 782ea40..021779c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,10 +183,14 @@
 type system_zoneinfo_file, system_file_type, file_type;
 # Cgroups description file under /system/etc/cgroups.json
 type cgroup_desc_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+type cgroup_desc_api_file, system_file_type, file_type;
 # Vendor cgroups description file under /vendor/etc/cgroups.json
 type vendor_cgroup_desc_file, vendor_file_type, file_type;
 # Task profiles file under /system/etc/task_profiles.json
 type task_profiles_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+type task_profiles_api_file, system_file_type, file_type;
 # Vendor task profiles file under /vendor/etc/task_profiles.json
 type vendor_task_profiles_file, vendor_file_type, file_type;
 # Type for /system/apex/com.android.art

public/init.te

diff --git a/public/init.te b/public/init.te
index d966e68..0bbeb29 100644
--- a/public/init.te
+++ b/public/init.te
@@ -123,6 +123,7 @@
 allow init cgroup:file rw_file_perms;
 allow init cgroup_rc_file:file rw_file_perms;
 allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
 allow init vendor_cgroup_desc_file:file r_file_perms;
 
 # /config

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 677d567..1e73e49 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -123,6 +123,7 @@
 
 r_dir_file(shell, cgroup)
 allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
 allow shell vendor_cgroup_desc_file:file r_file_perms;
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };