commit aa4ce95c6f601c5fa901a12d9f366440bf56c7e2
author Marco Ballesio <balejs@google.com> Thu Feb 11 15:18:11 2021 -0800
committer Marco Ballesio <balejs@google.com> Thu Feb 11 23:40:38 2021 +0000
tree 207658ec84cfd29a88b35b9f82215797beee7f65
parent e8d2732651edfaf9f32df039216cbf54f247e9ec

sepolicy: rules for uid/pid cgroups v2 hierarchy

Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes

This reverts commit aa8bb3a29b92a342c42c802edac269da5984d1df.

Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf0fa67..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -228,6 +228,7 @@
 
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
 
 # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
 # must not use it.

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 57e93e4..94bd059 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,6 +54,10 @@
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;
 
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;

private/logpersist.te

diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,6 +4,7 @@
 userdebug_or_eng(`
 
   r_dir_file(logpersist, cgroup)
+  r_dir_file(logpersist, cgroup_v2)
 
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 6e85b42..e5889d1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -240,6 +240,7 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
 
 # Do not allow loading executable code from non-privileged
 # application home directories. Code loading across a security boundary

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..8549bd5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,6 +100,7 @@
 allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 0aa46e3..36208bf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -158,6 +158,7 @@
 
 # Settings app writes to /dev/stune/foreground/tasks.
 allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index e1919e2..1db7082 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -889,6 +889,7 @@
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir { remove_name rmdir };
 
 # /oem access
 r_dir_file(system_server, oemfs)
@@ -967,9 +968,8 @@
 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
 
 # Access to /dev/dma_heap/system
 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 23fed52..1a3bcc6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -108,6 +108,8 @@
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
 allow zygote self:global_capability_class_set sys_admin;
 
 # Allow zygote to stat the files that it opens. The zygote must
@@ -190,7 +192,10 @@
 get_prop(zygote, device_config_window_manager_native_boot_prop)
 
 # ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
 
 # Ignore spurious denials calling access() on fuse
 # TODO(b/151316657): avoid the denials

public/charger.te

diff --git a/public/charger.te b/public/charger.te
index f57853a..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,6 +7,7 @@
 # Read access to pseudo filesystems.
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
 
 # Allow to read /sys/class/power_supply directory
 allow charger sysfs_type:dir r_dir_perms;

public/credstore.te

diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..a2376d2 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -14,3 +14,4 @@
 allow credstore dropbox_service:service_manager find;
 
 r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)

public/dhcp.te

diff --git a/public/dhcp.te b/public/dhcp.te
index 67fd038..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,6 +4,7 @@
 net_domain(dhcp)
 
 allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
 allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index aaac8f0..6b29595 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1322,10 +1322,12 @@
 
 # cgroupfs directories can be created, but not files within them.
 neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
 dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
 
 # These are only needed in permissive mode - in enforcing mode the
 # directory write check fails and so these are never attempted.

public/drmserver.te

diff --git a/public/drmserver.te b/public/drmserver.te
index a24ad41..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -61,4 +61,5 @@
 selinux_check_access(drmserver)
 
 r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
 r_dir_file(drmserver, system_file)

public/dumpstate.te

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c5086f..45540b3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -134,6 +134,7 @@
 
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)

public/gatekeeperd.te

diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 7295c24..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -39,3 +39,4 @@
 allow gatekeeperd hardware_properties_service:service_manager find;
 
 r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)

public/hal_cas.te

diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,6 +16,10 @@
 allow hal_cas cgroup:dir { search write };
 allow hal_cas cgroup:file w_file_perms;
 
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
 # Allow access to ion memory allocation device
 allow hal_cas ion_device:chr_file rw_file_perms;
 allow hal_cas hal_graphics_allocator:fd use;

public/hal_drm.te

diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,6 +20,10 @@
 allow hal_drm cgroup:dir { search write };
 allow hal_drm cgroup:file w_file_perms;
 
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
 # Allow access to ion memory allocation device
 allow hal_drm ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;

public/hal_fingerprint.te

diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 99b6065..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -14,6 +14,7 @@
 allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
 
 r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
 r_dir_file(hal_fingerprint, sysfs)
 
 

public/hal_telephony.te

diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 4cb0c5a..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,6 +11,8 @@
 allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
 allow hal_telephony_server cgroup:dir create_dir_perms;
 allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
 allow hal_telephony_server radio_device:chr_file rw_file_perms;
 allow hal_telephony_server radio_device:blk_file r_file_perms;
 allow hal_telephony_server efs_file:dir create_dir_perms;

public/hal_wifi_supplicant.te

diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 5fbe9f2..e19ad1c 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -13,6 +13,7 @@
 allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
 allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
 allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
 allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;

public/healthd.te

diff --git a/public/healthd.te b/public/healthd.te
index 8673846..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,6 +11,7 @@
 allow healthd sysfs:dir r_dir_perms;
 r_dir_file(healthd, rootfs)
 r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
 
 allow healthd self:global_capability_class_set { sys_tty_config };
 allow healthd self:global_capability_class_set sys_boot;

public/init.te

diff --git a/public/init.te b/public/init.te
index 59e6b4e..e546ece 100644
--- a/public/init.te
+++ b/public/init.te
@@ -103,7 +103,6 @@
     postinstall_mnt_dir
     mirror_data_file
 }:dir mounton;
-allow init cgroup_v2:dir { mounton create_dir_perms };
 
 # Mount bpf fs on sys/fs/bpf
 allow init fs_bpf:dir mounton;
@@ -132,6 +131,8 @@
 allow init cgroup_desc_file:file r_file_perms;
 allow init cgroup_desc_api_file:file r_file_perms;
 allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
 
 # /config
 allow init configfs:dir mounton;

public/inputflinger.te

diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,3 +13,4 @@
 allow inputflinger input_device:chr_file rw_file_perms;
 
 r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)

public/installd.te

diff --git a/public/installd.te b/public/installd.te
index b9c7b3e..61c8bce 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,6 +26,7 @@
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

public/keystore.te

diff --git a/public/keystore.te b/public/keystore.te
index b8c599c..1c8d3bd 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -24,6 +24,7 @@
 selinux_check_access(keystore)
 
 r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
 
 ###
 ### Neverallow rules

public/lmkd.te

diff --git a/public/lmkd.te b/public/lmkd.te
index c9f2e64..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,9 +26,11 @@
 
 # Clean up old cgroups
 allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
 
 # Allow to read memcg stats
 allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
 
 # Set self to SCHED_FIFO
 allow lmkd self:global_capability_class_set sys_nice;

public/logd.te

diff --git a/public/logd.te b/public/logd.te
index b0acb14..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,6 +4,7 @@
 
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
 

public/mediaextractor.te

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1f34030..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,7 @@
 hal_client_domain(mediaextractor, hal_allocator)
 
 r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
 allow mediaextractor proc_meminfo:file r_file_perms;
 
 crash_dump_fallback(mediaextractor)

public/mediametrics.te

diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,6 +12,7 @@
 allow mediametrics system_server:fd use;
 
 r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
 allow mediametrics proc_meminfo:file r_file_perms;
 
 # allows interactions with dumpsys to GMScore

public/mediaserver.te

diff --git a/public/mediaserver.te b/public/mediaserver.te
index d32b9d9..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,6 +9,7 @@
 
 r_dir_file(mediaserver, sdcard_type)
 r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
 
 # stat /proc/self
 allow mediaserver proc:lnk_file getattr;

public/performanced.te

diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,3 +28,4 @@
 
 # Access /dev/cpuset/cpuset.cpus
 r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)

public/racoon.te

diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,6 +12,7 @@
 allow racoon tun_device:chr_file r_file_perms;
 allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
 allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
 allow racoon kernel:system module_request;
 
 allow racoon self:key_socket create_socket_perms_no_ioctl;

public/sdcardd.te

diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,6 +2,7 @@
 type sdcardd_exec, system_file_type, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;  # TODO: deprecated in M
 allow sdcardd sdcardfs:filesystem remount;

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index c8aa9e9..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -126,6 +126,7 @@
 allow shell cgroup_desc_file:file r_file_perms;
 allow shell cgroup_desc_api_file:file r_file_perms;
 allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 685317b..8d436b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,6 +16,8 @@
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
 allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
 
 # /config
 allow vendor_init configfs:dir mounton;