domain_deprecated: remove cgroup access Logs indicate that all processes that require read access have already been granted it. Bug: 28760354 Test: build policy Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62 Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

commit: 72b265473e3d3ef034e4ce8d73528675e163bdbd [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Sun Jul 09 22:17:15 2017 -0700
committer: Jeffrey Vander Stoep <jeffv@google.com> Mon Jul 10 22:07:00 2017 +0000
tree: 1c2f8884714ece81e1a83b9749c8f4829bd8c1ed
parent: 790f4c7e205139b36478406e13c3ccd7e1cb8ef1 [diff]
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index e6760c9..7cfbdff 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te

@@ -122,7 +122,6 @@
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
 
 userdebug_or_eng(`
 auditallow {
@@ -185,32 +184,4 @@
   -ueventd
   -vold
 } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:{ file lnk_file } r_file_perms;
 ')
commit	72b265473e3d3ef034e4ce8d73528675e163bdbd	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Sun Jul 09 22:17:15 2017 -0700
committer	Jeffrey Vander Stoep <jeffv@google.com>	Mon Jul 10 22:07:00 2017 +0000
tree	1c2f8884714ece81e1a83b9749c8f4829bd8c1ed
parent	790f4c7e205139b36478406e13c3ccd7e1cb8ef1 [diff]