sepolicy for vendor cgroups.json and task_profiles.json files
Vendors should be able to specify additional cgroups and task profiles
without changing system files. Add access rules for /vendor/etc/cgroups.json
and /vendor/etc/task_profiles.json files which will augment cgroups and
task profiles specified in /etc/cgroups.json and /etc/task_profiles.json
system files. As with system files /vendor/etc/cgroups.json is readable
only by init process. task_profiles.json is readable by any process that
uses cgroups.
Bug: 124960615
Change-Id: I12fcff0159b4e7935ce15cc19ae36230da0524fc
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1879468..f7f3a54 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -123,8 +123,10 @@
timezonedetector_service
uri_grants_service
use_memfd_prop
+ vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/domain.te b/private/domain.te
index a48a186..bc05875 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -32,6 +32,7 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
diff --git a/private/file_contexts b/private/file_contexts
index 988ee25..83be009 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -336,6 +336,8 @@
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 21b9851..0d47401 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1037,6 +1037,7 @@
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
+ -vendor_task_profiles_file
-vndk_sp_file
}:file *;
')
diff --git a/public/file.te b/public/file.te
index 42491dc..bdcaae7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -158,8 +158,12 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/init.te b/public/init.te
index 7f5b3fc..88e8dba 100644
--- a/public/init.te
+++ b/public/init.te
@@ -109,6 +109,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;