commit 51c04ac27b329db75ea1e20bd238147c12c96cf4
author Jonglin Lee <jonglin@google.com> Fri Dec 04 03:12:59 2020 +0000
committer Jonglin Lee <jonglin@google.com> Fri Dec 04 03:12:59 2020 +0000
tree e0f5f00085cfc665a242dfe93b88891b5cda384e
parent f46d7a26c19d87e0d39de9504bc6e6ad6fb1aedb

Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"

Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 096a41b..e9e2f42 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -223,7 +223,6 @@
 
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
 
 # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
 # must not use it.

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index d996007..84fa107 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,10 +54,6 @@
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;
 
-allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
-
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;

private/logpersist.te

diff --git a/private/logpersist.te b/private/logpersist.te
index ab2c9c6..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,7 +4,6 @@
 userdebug_or_eng(`
 
   r_dir_file(logpersist, cgroup)
-  r_dir_file(logpersist, cgroup_v2)
 
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index adf66f1..07ed6c7 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -213,7 +213,6 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
 
 # Do not allow loading executable code from non-privileged
 # application home directories. Code loading across a security boundary

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8549bd5..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,7 +100,6 @@
 allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index a8434a8..53c31c2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -152,7 +152,6 @@
 
 # Settings app writes to /dev/stune/foreground/tasks.
 allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 9406384..78abdff 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -839,7 +839,6 @@
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir { remove_name rmdir };
 
 # /oem access
 r_dir_file(system_server, oemfs)
@@ -918,8 +917,9 @@
 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
 allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
 
 # Access to /dev/dma_heap/system
 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 722b33d..d3d08bf 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -101,8 +101,6 @@
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
 allow zygote self:global_capability_class_set sys_admin;
 
 # Allow zygote to stat the files that it opens. The zygote must
@@ -185,10 +183,7 @@
 get_prop(zygote, device_config_window_manager_native_boot_prop)
 
 # ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
+dontaudit zygote self:global_capability_class_set sys_resource;
 
 # Ignore spurious denials calling access() on fuse
 # TODO(b/151316657): avoid the denials