domain: grant write perms to cgroups
Was moved to domain_deprecated. Move back to domain.
Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.
Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
diff --git a/bootanim.te b/bootanim.te
index 550c6dc..fa0e4dc 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -18,10 +18,6 @@
allow bootanim surfaceflinger_service:service_manager find;
-# For /acct/uid/*/tasks.
-allow bootanim cgroup:dir { search write };
-allow bootanim cgroup:file w_file_perms;
-
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/domain.te b/domain.te
index 6d2eadc..2a63c82 100644
--- a/domain.te
+++ b/domain.te
@@ -121,6 +121,10 @@
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 0db79da..ed88cca 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,10 +49,6 @@
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-# For /acct/uid/*/tasks.
-allow domain_deprecated cgroup:dir { search write };
-allow domain_deprecated cgroup:file w_file_perms;
-
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;