Merge "Allow access to cgroups.json files" into main
diff --git a/private/crosvm.te b/private/crosvm.te
index ccfffa0..5613e6f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -184,6 +184,7 @@
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vndk_sp_file
diff --git a/private/domain.te b/private/domain.te
index 75bcdf9..b80b110 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -424,10 +424,13 @@
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+allow domain cgroup_desc_file:file r_file_perms;
+allow domain cgroup_desc_api_file:file r_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+allow domain vendor_cgroup_desc_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -1231,6 +1234,8 @@
-vendor_init
} {
system_file_type
+ -cgroup_desc_file
+ -cgroup_desc_api_file
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
@@ -2072,6 +2077,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_boot_ota_file
+ -vendor_cgroup_desc_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file