From 235d48600b97be71b97ac6f55a7d6bef0db067f5 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Sat, 13 Oct 2018 17:10:38 -0700
Subject: [PATCH] Finalize cgroup permissions.

Policy w.r.t to apps:
- cgroup access from untrusted apps and priv app is neverallow'ed.
- other apps (e.g. vendor apps) need to explicitly declare appropriate
access rules to cgroups.

Policy w.r.t native domains:
- libcutils exports API to /dev/{cpuset, stune}/*. This API is used
abundantly in native vendor code. So we are not going to limit non-app
access to cgroup.

Bug: 110043362
Bug: 117666318
Test: m selinux_policy, boot device
Change-Id: I83aee21ca3e8941725c70706769ea9dbdc76b9c5
---
 public/domain.te | 32 ++------------------------------
 1 file changed, 2 insertions(+), 30 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 5f00a82cb..1c360bcda 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -275,36 +275,8 @@ allow domain selinuxfs:filesystem getattr;
 
 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
-allow { coredomain -appdomain } cgroup:dir w_dir_perms;
-allow { coredomain -appdomain } cgroup:file w_file_perms;
-
-# TODO(b/110043362): Clean up cgroup access from app domains.
-allow {
-  # Can not use all_untrusted_apps macro here, so expanding inline.
-  # This list is essentially { appdomain -all_untrusted_apps -priv_app }
-  appdomain
-  -ephemeral_app
-  -isolated_app
-  -mediaprovider
-  -untrusted_app
-  -untrusted_app_25
-  -untrusted_app_27
-  -untrusted_app_all
-  -priv_app
-} cgroup:file w_file_perms;
-userdebug_or_eng(`
-  auditallow appdomain cgroup:file w_file_perms;
-')
-
-# TODO(b/110043362): Clean up cgroup access from non-system domains.
-allow { domain -coredomain } cgroup:file w_file_perms;
-userdebug_or_eng(`
-  auditallow {
-    domain
-    -coredomain
-    -vendor_init
-  } cgroup:file w_file_perms;
-')
+allow { domain -appdomain } cgroup:dir w_dir_perms;
+allow { domain -appdomain } cgroup:file w_file_perms;
 
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
-- 
GitLab