Constrain cgroups access.
What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.
Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.
Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 344ecd5..1e82404 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -274,3 +274,6 @@
# This will go away in a future Android release
neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
+
+# Untrusted apps are not allowed to use cgroups.
+neverallow all_untrusted_apps cgroup:file *;