sepolicy changes to configure cgroup.rc and task_profiles.json access am: 561ce801b0
am: aa1a6a5056
Change-Id: Ie11fb805abbdf3c860a61adce05296c6e0f56dca
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index ef796fa..924726c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,6 +23,8 @@
biometric_service
bpf_progs_loaded_prop
bugreport_service
+ cgroup_desc_file
+ cgroup_rc_file
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -106,6 +108,7 @@
system_lmk_prop
system_suspend_hwservice
staging_data_file
+ task_profiles_file
testharness_service
test_harness_prop
time_prop
diff --git a/private/domain.te b/private/domain.te
index dda8f21..39b7c75 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,6 +29,10 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -188,3 +192,10 @@
-exec_type
-postinstall_file
}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index edd3f57..b793e82 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -93,6 +93,7 @@
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
@@ -296,6 +297,7 @@
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
@@ -310,6 +312,7 @@
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
diff --git a/public/domain.te b/public/domain.te
index 03e745c..e086ace 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1051,6 +1051,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
')
diff --git a/public/file.te b/public/file.te
index 396e4d7..a8f113b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -154,6 +154,10 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -193,6 +197,8 @@
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
@@ -449,6 +455,7 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index a089c8c..54125ac 100644
--- a/public/init.te
+++ b/public/init.te
@@ -107,6 +107,8 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;