sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.
Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files
Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
diff --git a/private/system_server.te b/private/system_server.te
index 78abdff..9406384 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -839,6 +839,7 @@
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
@@ -917,9 +918,8 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;