Allow access to /metadata/libprocessgroup for 25Q2 Beta experiment
Init may write a file to /metadata containing a server override for
memcg v2 MaxActivationDepth for devices in an experiment population.
Use this value instead of the value from cgroups.json if the file
exists.
This will be reverted after the memcg v2 experiment is complete, and
before the final 25Q2 TOT snap. The final MaxActivationDepth value will
be commited to cgroups.json on AOSP. go/android-memcgv2-exp
Bug: 384577842
Test: setprop persist.device_config.mglru_native.lru_gen_config all
Test: grep memory /sys/fs/cgroup/*/cgroup.subtree_control
Test: reboot, then grep memory /sys/fs/cgroup/*/cgroup.subtree_control (again)
Test: Also tested with corp credentials and server flags in teamfood/droidfood.
Change-Id: Iaf3f4cc63526827a5ade67058d3c602f44e4d8a5
diff --git a/private/domain.te b/private/domain.te
index 6aaf5de..31b544b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -430,6 +430,8 @@
allow domain task_profiles_file:file r_file_perms;
allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
+allow domain libprocessgroup_metadata_file:dir r_dir_perms;
+allow domain libprocessgroup_metadata_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
diff --git a/private/file.te b/private/file.te
index b60ce34..3a66143 100644
--- a/private/file.te
+++ b/private/file.te
@@ -231,6 +231,9 @@
# /metadata/prefetch files
type prefetch_metadata_file, file_type;
+# /metadata/libprocessgroup files
+type libprocessgroup_metadata_file, file_type;
+
# Types added in 202504 in public/file.te
until_board_api(202504, `
type binderfs_logs_transactions, fs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 7e7ae7c..7ef3226 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -364,6 +364,7 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
+/system/bin/memcgv2_activation_depth\.sh u:object_r:memcgv2_activation_depth_exec:s0
/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
@@ -901,6 +902,7 @@
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
/metadata/tradeinmode(/.*)? u:object_r:tradeinmode_metadata_file:s0
/metadata/prefetch(/.*)? u:object_r:prefetch_metadata_file:s0
+/metadata/libprocessgroup(/.*)? u:object_r:libprocessgroup_metadata_file:s0
############################
# mount point for ota metadata
diff --git a/private/memcgv2_activation_depth.te b/private/memcgv2_activation_depth.te
new file mode 100644
index 0000000..80378d3
--- /dev/null
+++ b/private/memcgv2_activation_depth.te
@@ -0,0 +1,26 @@
+# The memcgv2_activation_depth.sh script run by init.
+
+type memcgv2_activation_depth, domain, coredomain;
+type memcgv2_activation_depth_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(memcgv2_activation_depth)
+
+# required permissions to run the script from init
+allow memcgv2_activation_depth shell_exec:file rx_file_perms;
+allow memcgv2_activation_depth system_file:file x_file_perms;
+allow memcgv2_activation_depth toolbox_exec:file rx_file_perms;
+
+# for system default max activation depth
+allow memcgv2_activation_depth cgroup_desc_file:file r_file_perms;
+
+# /metadata/libprocessgroup/*
+allow memcgv2_activation_depth libprocessgroup_metadata_file:dir rw_dir_perms;
+allow memcgv2_activation_depth libprocessgroup_metadata_file:file create_file_perms;
+
+# /sys/fs/cgroup/cgroup.controllers
+# /sys/fs/cgroup/**/cgroup.subtree_control
+allow memcgv2_activation_depth cgroup_v2:dir r_dir_perms;
+allow memcgv2_activation_depth cgroup_v2:file rw_file_perms;
+
+# For reboot, when reducing the depth override
+set_prop(memcgv2_activation_depth, powerctl_prop)