Merge "init/ueventd and system_server no longer need access to /dev/hw_random."
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf0fa67..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -228,6 +228,7 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/bpfloader.te b/private/bpfloader.te
index b2e5992..f1932bb 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,27 +4,32 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { create search write add_name };
-allow bpfloader fs_bpf:file { create setattr read };
+allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
+allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
+allow fs_bpf_tethering fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin };
+set_prop(bpfloader, bpf_progs_loaded_prop)
+
###
### Neverallow rules
###
-# TODO: get rid of init & vendor_init
-neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
-neverallow domain fs_bpf:dir { reparent rename rmdir };
+# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
+neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
+neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
-neverallow { domain -bpfloader } fs_bpf:file create;
-neverallow domain fs_bpf:file { rename unlink };
+neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
+neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
+neverallow { domain -bpfloader -gpuservice -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
+neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
@@ -32,9 +37,7 @@
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index c90743d..486836b 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -30,6 +30,7 @@
domain_verification_service
dumpstate_tmpfs
framework_watchdog_config_prop
+ fs_bpf_tethering
fwk_stats_service
game_service
font_data_file
diff --git a/private/domain.te b/private/domain.te
index 57e93e4..94bd059 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,6 +54,10 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 05dc06f..d205cd5 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -349,3 +349,4 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,6 +4,7 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
+ r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index f130e80..9598fa5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -29,6 +29,13 @@
binder_call(network_stack, netd);
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
+
+# Grant read permission of connectivity namespace system property prefix.
+get_prop(network_stack, device_config_connectivity_prop)
+
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
@@ -37,13 +44,15 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack fs_bpf:dir search;
-allow network_stack fs_bpf:file { read write };
+allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
+# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# TODO: remove netd once netd/tethering mainline module split is complete
+# Unfortunately init/vendor_init have all sorts of extra privs
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/private/priv_app.te b/private/priv_app.te
index 6e85b42..e5889d1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -240,6 +240,7 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/property_contexts b/private/property_contexts
index 8778016..7d99a24 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -979,6 +979,7 @@
ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..8549bd5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,6 +100,7 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
diff --git a/private/system_app.te b/private/system_app.te
index 0aa46e3..36208bf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -158,6 +158,7 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index deb0776..a2aa259 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -892,8 +892,10 @@
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-# Clean up old cgroups
+# Create new process groups and clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir create_dir_perms;
+allow system_server cgroup_v2:file { r_file_perms setattr };
# /oem access
r_dir_file(system_server, oemfs)
@@ -972,9 +974,8 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 23fed52..1a3bcc6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -108,6 +108,8 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -190,7 +192,10 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials
diff --git a/public/charger.te b/public/charger.te
index f57853a..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,6 +7,7 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..a2376d2 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -14,3 +14,4 @@
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)
diff --git a/public/dhcp.te b/public/dhcp.te
index 67fd038..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,6 +4,7 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
diff --git a/public/domain.te b/public/domain.te
index e9ff65b..81163d1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1320,10 +1320,12 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
diff --git a/public/drmserver.te b/public/drmserver.te
index a24ad41..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -61,4 +61,5 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c5086f..45540b3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -134,6 +134,7 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
diff --git a/public/file.te b/public/file.te
index 181979c..a188c78 100644
--- a/public/file.te
+++ b/public/file.te
@@ -113,6 +113,7 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
type fs_bpf, fs_type;
+type fs_bpf_tethering, fs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 7295c24..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -39,3 +39,4 @@
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,6 +16,10 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,6 +20,10 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 99b6065..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -14,6 +14,7 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 4cb0c5a..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,6 +11,8 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 5fbe9f2..e19ad1c 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -13,6 +13,7 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index 8673846..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,6 +11,7 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
diff --git a/public/init.te b/public/init.te
index 520bbb3..069f17d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -103,7 +103,6 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -132,6 +131,8 @@
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,3 +13,4 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index b9c7b3e..61c8bce 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,6 +26,7 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
diff --git a/public/keystore.te b/public/keystore.te
index b8c599c..1c8d3bd 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -24,6 +24,7 @@
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
diff --git a/public/lmkd.te b/public/lmkd.te
index c9f2e64..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,9 +26,11 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
diff --git a/public/logd.te b/public/logd.te
index b0acb14..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,6 +4,7 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1f34030..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,7 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,6 +12,7 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index d32b9d9..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,6 +9,7 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..4472938 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,8 +64,9 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
+# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
+allow netd { fs_bpf fs_bpf_tethering }:dir search;
+allow netd { fs_bpf fs_bpf_tethering }:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,3 +28,4 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)
diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,6 +12,7 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,6 +2,7 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/shell.te b/public/shell.te
index c8aa9e9..29c07a4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -126,6 +126,7 @@
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 685317b..8d436b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,6 +16,8 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;