Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8f280b08474ae356423830fc27d6e08fdf66ea75^! / . / private
commit8f280b08474ae356423830fc27d6e08fdf66ea75[log] [tgz]
authorMarco Ballesio <balejs@google.com>Wed May 27 14:10:39 2020 -0700
committerMarco Ballesio <balejs@google.com>Mon Aug 17 09:49:10 2020 -0700
treeb6c847ae1bf356fb112188d920869fb5e0f16de0
parentf5f23b7e03864617d00d52891a3abcdc495ca6bb [diff]
sepolicy support for cgroup v2

cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy
will be mounted by init under /sys/fs/cgroup hence proper access rights
are necessary for sysfs. After mounting, the cgroup v2 kernfs will use
the label cgroup_v2 and system_manager will handle the freezer

Bug: 154548692
Test: verified that files undes sysfs and cgroup v2 kernfs are accessed
as required to allow proper functioning for the freezer.

Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 44d7535..8804303 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil

@@ -1,4 +1,5 @@
 ;; types removed from current policy
+(type cgroup_bpf)
 (type exported_audio_prop)
 (type exported_dalvik_prop)
 (type exported_ffs_prop)

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index bcb571d..ada1bcf 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -16,5 +16,5 @@
     profcollectd_data_file
     profcollectd_exec
     profcollectd_service
-    update_engine_stable_service))
-
+    update_engine_stable_service
+    cgroup_v2))

diff --git a/private/genfs_contexts b/private/genfs_contexts
index e67c5d3..433abbc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -103,7 +103,7 @@
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0

diff --git a/private/system_server.te b/private/system_server.te
index 23b710a..26b728f 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -930,6 +930,8 @@
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)