sepolicy: grant system_server process group creation rights
system_server must be allowed to create process groups in behalf of
processes spawned by the app zygote
Bug: 62435375
Bug: 168907513
Test: verified that webview processes are migrated in their own process
group
Change-Id: Icd9cd53b759a79fe4dc46f7ffabc0cf248e6e4b8
diff --git a/private/system_server.te b/private/system_server.te
index 1db7082..a637d3e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -887,9 +887,10 @@
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-# Clean up old cgroups
+# Create new process groups and clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
# /oem access
r_dir_file(system_server, oemfs)