Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907439ff5b9c51268b6ce331088497859
Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery
Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index aff3a0a..cf0fa67 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -228,7 +228,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/domain.te b/private/domain.te
index 4b04e85..062a51e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,10 +54,6 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
-allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
-
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index ab2c9c6..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,7 +4,6 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 4c1d782..9fd319f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -232,7 +232,6 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8549bd5..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,7 +100,6 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index 8938931..4284835 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -149,7 +149,6 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index b4f72bd..6767cd1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -868,7 +868,6 @@
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
@@ -947,8 +946,9 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 1a3bcc6..23fed52 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -108,8 +108,6 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -192,10 +190,7 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
+dontaudit zygote self:global_capability_class_set sys_resource;
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials