Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy
Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2
Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 096a41b..e9e2f42 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -223,7 +223,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/domain.te b/private/domain.te
index d996007..84fa107 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,10 +54,6 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
-allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
-
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index ab2c9c6..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,7 +4,6 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index adf66f1..07ed6c7 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -213,7 +213,6 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8549bd5..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,7 +100,6 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index a8434a8..53c31c2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -152,7 +152,6 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index 9406384..78abdff 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -839,7 +839,6 @@
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
@@ -918,8 +917,9 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 722b33d..d3d08bf 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -101,8 +101,6 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -185,10 +183,7 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
+dontaudit zygote self:global_capability_class_set sys_resource;
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials
diff --git a/public/charger.te b/public/charger.te
index 37359e3..f57853a 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,7 +7,6 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
diff --git a/public/credstore.te b/public/credstore.te
index a2376d2..db16a8d 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -14,4 +14,3 @@
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
diff --git a/public/dhcp.te b/public/dhcp.te
index 1d875ab..67fd038 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,6 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
diff --git a/public/domain.te b/public/domain.te
index 6385271..d4274e1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1331,12 +1331,10 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
diff --git a/public/drmserver.te b/public/drmserver.te
index 2cf994e..e2c6638 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -59,5 +59,4 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 93bd1ef..fdd50d1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -134,7 +134,6 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index cc1d3d9..6ab9727 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -37,4 +37,3 @@
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index e699a6b..7de6a13 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,10 +16,6 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
-r_dir_file(hal_cas, cgroup_v2)
-allow hal_cas cgroup_v2:dir { search write };
-allow hal_cas cgroup_v2:file w_file_perms;
-
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..5987491 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,10 +20,6 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
-r_dir_file(hal_drm, cgroup_v2)
-allow hal_drm cgroup_v2:dir { search write };
-allow hal_drm cgroup_v2:file w_file_perms;
-
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 444cfda..99b6065 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -14,7 +14,6 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..4cb0c5a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,8 +11,6 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
-allow hal_telephony_server cgroup_v2:dir create_dir_perms;
-allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 36bcc65..79a0667 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -13,7 +13,6 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index 05acb84..8673846 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,7 +11,6 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
diff --git a/public/init.te b/public/init.te
index b342f24..0bbeb29 100644
--- a/public/init.te
+++ b/public/init.te
@@ -96,6 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
+allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -124,8 +125,6 @@
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index b62c06d..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,4 +13,3 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index 0efd33c..53acaf0 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,7 +26,6 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
diff --git a/public/keystore.te b/public/keystore.te
index 3ecf90a..3fac95f 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -20,7 +20,6 @@
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
diff --git a/public/lmkd.te b/public/lmkd.te
index de6052d..c9f2e64 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,11 +26,9 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/public/logd.te b/public/logd.te
index 8187179..b0acb14 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,7 +4,6 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..1f34030 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,7 +20,6 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,7 +12,6 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index fdabceb..1978aa3 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,7 +9,6 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
diff --git a/public/performanced.te b/public/performanced.te
index d694fda..7dcb5ea 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,4 +28,3 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..6888740 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,7 +12,6 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..1ae3770 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,7 +2,6 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/shell.te b/public/shell.te
index 39ed2f6..1e73e49 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -125,7 +125,6 @@
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ca74697..0bdf632 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,8 +16,6 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;