Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3cf9a7b2a05b8cad5035685f28a9f857cfeee60e^! / . / private / memcgv2_activation_depth.te
commit3cf9a7b2a05b8cad5035685f28a9f857cfeee60e[log] [tgz]
authorT.J. Mercier <tjmercier@google.com>Thu Dec 26 23:02:09 2024 +0000
committerT.J. Mercier <tjmercier@google.com>Tue Jan 14 21:36:51 2025 +0000
tree95ff53d080da5d03b2c4b04ef1f21818c77470bf
parentb8791a5bfaaa900e15a09a0fb1b818a6ae97f585 [diff] [blame]
Allow access to /metadata/libprocessgroup for 25Q2 Beta experiment

Init may write a file to /metadata containing a server override for
memcg v2 MaxActivationDepth for devices in an experiment population.
Use this value instead of the value from cgroups.json if the file
exists.

This will be reverted after the memcg v2 experiment is complete, and
before the final 25Q2 TOT snap. The final MaxActivationDepth value will
be commited to cgroups.json on AOSP. go/android-memcgv2-exp

Bug: 384577842
Test: setprop persist.device_config.mglru_native.lru_gen_config all
Test: grep memory /sys/fs/cgroup/*/cgroup.subtree_control
Test: reboot, then grep memory /sys/fs/cgroup/*/cgroup.subtree_control (again)
Test: Also tested with corp credentials and server flags in teamfood/droidfood.
Change-Id: Iaf3f4cc63526827a5ade67058d3c602f44e4d8a5

diff --git a/private/memcgv2_activation_depth.te b/private/memcgv2_activation_depth.te
new file mode 100644
index 0000000..80378d3
--- /dev/null
+++ b/private/memcgv2_activation_depth.te

@@ -0,0 +1,26 @@
+# The memcgv2_activation_depth.sh script run by init.
+
+type memcgv2_activation_depth, domain, coredomain;
+type memcgv2_activation_depth_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(memcgv2_activation_depth)
+
+# required permissions to run the script from init
+allow memcgv2_activation_depth shell_exec:file rx_file_perms;
+allow memcgv2_activation_depth system_file:file x_file_perms;
+allow memcgv2_activation_depth toolbox_exec:file rx_file_perms;
+
+# for system default max activation depth
+allow memcgv2_activation_depth cgroup_desc_file:file r_file_perms;
+
+# /metadata/libprocessgroup/*
+allow memcgv2_activation_depth libprocessgroup_metadata_file:dir rw_dir_perms;
+allow memcgv2_activation_depth libprocessgroup_metadata_file:file create_file_perms;
+
+# /sys/fs/cgroup/cgroup.controllers
+# /sys/fs/cgroup/**/cgroup.subtree_control
+allow memcgv2_activation_depth cgroup_v2:dir r_dir_perms;
+allow memcgv2_activation_depth cgroup_v2:file rw_file_perms;
+
+# For reboot, when reducing the depth override
+set_prop(memcgv2_activation_depth, powerctl_prop)