From 527f64e66adf1789b50b5604ce98575c1f488d55 Mon Sep 17 00:00:00 2001
From: Tim Murray <timmurray@google.com>
Date: Fri, 24 Mar 2017 09:09:08 -0700
Subject: [PATCH] sepolicy: fix support for lmkd

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: Ia57dbbc3987d8858c932103c4e546cbb88893207
---
 private/file_contexts | 1 +
 public/device.te      | 1 +
 public/domain.te      | 3 +++
 public/init.te        | 1 +
 public/lmkd.te        | 5 +++++
 5 files changed, 11 insertions(+)

diff --git a/private/file_contexts b/private/file_contexts
index 69e4d6133..57fc578ee 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -79,6 +79,7 @@
 /dev/cam		u:object_r:camera_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)?        u:object_r:memcg_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
diff --git a/public/device.te b/public/device.te
index 4a3bec91f..15799b89a 100644
--- a/public/device.te
+++ b/public/device.te
@@ -21,6 +21,7 @@ type rtc_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
+type memcg_device, dev_type;
 type fscklogs, dev_type;
 type full_device, dev_type;
 # GPU (used by most UI apps)
diff --git a/public/domain.te b/public/domain.te
index ea63d1c65..7abffce00 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -226,6 +226,9 @@ with_asan(`allow domain system_data_file:dir getattr;')
 ### neverallow rules
 ###
 
+# Don't allow others to access memcg.
+neverallow { domain -init -lmkd userdebug_or_eng(`-domain') } memcg_device:dir_file_class_set *;
+
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
diff --git a/public/init.te b/public/init.te
index b21c4d09e..cf9488f87 100644
--- a/public/init.te
+++ b/public/init.te
@@ -77,6 +77,7 @@ allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 r_dir_file(init, cgroup)
 allow init cpuctl_device:dir { create mounton };
+allow init memcg_device:dir { create mounton };
 
 # /config
 allow init configfs:dir mounton;
diff --git a/public/lmkd.te b/public/lmkd.te
index f4e6c2d57..c2dcadd5f 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -21,6 +21,9 @@ allow lmkd system_server:file write;
 r_dir_file(lmkd, sysfs_type)
 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
+allow lmkd memcg_device:dir search;
+allow lmkd memcg_device:file rw_file_perms;
+
 # Send kill signals
 allow lmkd appdomain:process sigkill;
 
@@ -32,6 +35,8 @@ allow lmkd self:capability sys_nice;
 
 allow lmkd proc_zoneinfo:file r_file_perms;
 
+r_dir_file(lmkd, cgroup)
+
 ### neverallow rules
 
 # never honor LD_PRELOAD
-- 
GitLab