Merge "sepolicy for vendor cgroups.json and task_profiles.json files" am: e3f15e2abc am: b582791324
am: 14a03c82a4
Change-Id: Ibd4f155feae6b925952b90e0078a5229aa74c7bb
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 36fd3ac..60cd276 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -125,8 +125,10 @@
timezonedetector_service
uri_grants_service
use_memfd_prop
+ vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/domain.te b/private/domain.te
index a48a186..bc05875 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -32,6 +32,7 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
diff --git a/private/file_contexts b/private/file_contexts
index 155e7a7..c598cff 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -335,6 +335,8 @@
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 21b9851..0d47401 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1037,6 +1037,7 @@
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
+ -vendor_task_profiles_file
-vndk_sp_file
}:file *;
')
diff --git a/public/file.te b/public/file.te
index b679149..629dc27 100644
--- a/public/file.te
+++ b/public/file.te
@@ -161,8 +161,12 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/init.te b/public/init.te
index 131b479..e0a7fcc 100644
--- a/public/init.te
+++ b/public/init.te
@@ -109,6 +109,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;