Collapse cgroup_desc_api_file into cgroup_desc_file If ro.product.first_api_level is set, we first attempt to read cgroup_desc_api_file before also reading cgroup_desc_file. There is currently no point distinguishing between the API file and the regular file in sepolicy. Bug: 349105928 Change-Id: I8c2b554f594a01bdae1cf9994dc1eaadb91ad774

commit: 55c17f2f3e0c2fe488abe45d2cd47e2f6de2c511 [log] [tgz]
author: T.J. Mercier <tjmercier@google.com> Thu Oct 17 22:21:21 2024 +0000
committer: T.J. Mercier <tjmercier@google.com> Fri Oct 18 03:39:39 2024 +0000
tree: b0e86d6d4c1aedc17c89c1f12477f23d7c34bcd0
parent: 852d19b5d2369a57a91c08d962f119871e647408 [diff]
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7bda60c..4c9c7c5 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -434,8 +434,8 @@
 /system/bin/hw/android.system.suspend-service                     system_suspend_exec
 /system/etc/aconfig                                               system_aconfig_storage_file
 /system/etc/cgroups.json                                          cgroup_desc_file
-/system/etc/task_profiles/cgroups_0.json                          cgroup_desc_api_file
-/system/etc/task_profiles/cgroups_999.json                        cgroup_desc_api_file
+/system/etc/task_profiles/cgroups_0.json                          cgroup_desc_file
+/system/etc/task_profiles/cgroups_999.json                        cgroup_desc_file
 /system/etc/event-log-tags                                        system_event_log_tags_file
 /system/etc/font_fallback.xml                                     system_font_fallback_file
 /system/etc/group                                                 system_group_file

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 6414f76..0955797 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts

@@ -113,7 +113,7 @@
 /system/bin/traced               u:object_r:traced_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
 /system/etc/group                       u:object_r:system_group_file:s0
 /system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 67af209..9a0345f 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te

@@ -114,7 +114,6 @@
 allow init cgroup:dir create_dir_perms;
 allow init cgroup:file rw_file_perms;
 allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
 allow init cgroup_v2:dir { mounton create_dir_perms};
 allow init cgroup_v2:file rw_file_perms;
 

diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 0ea67a7..ba88770 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te

@@ -43,7 +43,6 @@
 
 r_dir_file(shell, cgroup)
 allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
 r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };

diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 8d3f76a..a6b3122 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te

@@ -6,7 +6,9 @@
 type apex_mnt_dir, file_type;
 type authfs_data_file, file_type, data_file_type, core_data_file_type;
 type authfs_service_socket, file_type, coredomain_socket;
-type cgroup_desc_api_file, file_type, system_file_type;
+until_board_api(202504, `
+    type cgroup_desc_api_file, file_type, system_file_type;
+')
 type cgroup_desc_file, file_type, system_file_type;
 type extra_apk_file, file_type;
 type file_contexts_file, file_type, system_file_type;

diff --git a/private/domain.te b/private/domain.te
index c9a8b63..5b1364d 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -425,7 +425,6 @@
 allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
 
 allow domain cgroup_desc_file:file r_file_perms;
-allow domain cgroup_desc_api_file:file r_file_perms;
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
@@ -1234,7 +1233,6 @@
   } {
     system_file_type
     -cgroup_desc_file
-    -cgroup_desc_api_file
     -crash_dump_exec
     -file_contexts_file
     -netutils_wrapper_exec

diff --git a/private/file_contexts b/private/file_contexts
index 496e954..a70e143 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -365,7 +365,7 @@
 /system/bin/rkp_cert_processor          u:object_r:rkp_cert_processor_exec:s0
 /system/etc/aconfig(/.*)?               u:object_r:system_aconfig_storage_file:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
 /system/etc/font_fallback.xml           u:object_r:system_font_fallback_file:s0
 /system/etc/group                       u:object_r:system_group_file:s0

diff --git a/private/init.te b/private/init.te
index dbb3f02..a3adab5 100644
--- a/private/init.te
+++ b/private/init.te

@@ -237,7 +237,6 @@
 allow init cgroup:file rw_file_perms;
 allow init cgroup_rc_file:file rw_file_perms;
 allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
 allow init vendor_cgroup_desc_file:file r_file_perms;
 allow init cgroup_v2:dir { mounton create_dir_perms};
 allow init cgroup_v2:file rw_file_perms;

diff --git a/private/shell.te b/private/shell.te
index a6e9975..0f1ad75 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -403,7 +403,6 @@
 
 r_dir_file(shell, cgroup)
 allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
 allow shell vendor_cgroup_desc_file:file r_file_perms;
 r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };

diff --git a/public/file.te b/public/file.te
index 4f187ec..457974e 100644
--- a/public/file.te
+++ b/public/file.te

@@ -224,10 +224,13 @@
 type tcpdump_exec, system_file_type, exec_type, file_type;
 # Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
 type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
+# Cgroups description file under /system/etc/cgroups.json or
+# API file under /system/etc/task_profiles/cgroups_*.json
 type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
+until_board_api(202504, `
+    # Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+    type cgroup_desc_api_file, system_file_type, file_type;
+')
 # Vendor cgroups description file under /vendor/etc/cgroups.json
 type vendor_cgroup_desc_file, vendor_file_type, file_type;
 # Task profiles file under /system/etc/task_profiles.json
commit	55c17f2f3e0c2fe488abe45d2cd47e2f6de2c511	[log] [tgz]
author	T.J. Mercier <tjmercier@google.com>	Thu Oct 17 22:21:21 2024 +0000
committer	T.J. Mercier <tjmercier@google.com>	Fri Oct 18 03:39:39 2024 +0000
tree	b0e86d6d4c1aedc17c89c1f12477f23d7c34bcd0
parent	852d19b5d2369a57a91c08d962f119871e647408 [diff]