Allow access to cgroups.json files
libprocessgroup now reads cgroup descriptor files instead of cgroup.rc
which was removed. Both system and vendor domains have users of
libprocessgroup APIs which require access to these files.
Bug: 349105928
Bug: 372273614
Change-Id: I25898ecac543e12bb349fc25070a70333d649872
diff --git a/private/crosvm.te b/private/crosvm.te
index ccfffa0..5613e6f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -184,6 +184,7 @@
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vndk_sp_file
diff --git a/private/domain.te b/private/domain.te
index 03bcb85..c9a8b63 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -424,10 +424,13 @@
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+allow domain cgroup_desc_file:file r_file_perms;
+allow domain cgroup_desc_api_file:file r_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -1230,6 +1233,8 @@
-vendor_init
} {
system_file_type
+ -cgroup_desc_file
+ -cgroup_desc_api_file
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
@@ -2064,6 +2069,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file