From be0616baf0c0caf8e1c8a4fdc9b488839f6af27d Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 26 Jan 2016 18:56:52 -0800
Subject: [PATCH] domain: grant write perms to cgroups

Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
---
 bootanim.te          | 4 ----
 domain.te            | 4 ++++
 domain_deprecated.te | 4 ----
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/bootanim.te b/bootanim.te
index 550c6dc2a..fa0e4dca1 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -18,10 +18,6 @@ allow bootanim audio_device:chr_file rw_file_perms;
 
 allow bootanim surfaceflinger_service:service_manager find;
 
-# For /acct/uid/*/tasks.
-allow bootanim cgroup:dir { search write };
-allow bootanim cgroup:file w_file_perms;
-
 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;
 
diff --git a/domain.te b/domain.te
index 6d2eadc9c..2a63c82e4 100644
--- a/domain.te
+++ b/domain.te
@@ -121,6 +121,10 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
 # The reason behind this is documented in b/6513400
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 0db79da54..ed88cca99 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,10 +49,6 @@ allow domain_deprecated cache_file:dir r_dir_perms;
 allow domain_deprecated cache_file:file { getattr read };
 allow domain_deprecated cache_file:lnk_file r_file_perms;
 
-# For /acct/uid/*/tasks.
-allow domain_deprecated cgroup:dir { search write };
-allow domain_deprecated cgroup:file w_file_perms;
-
 #Allow access to ion memory allocation device
 allow domain_deprecated ion_device:chr_file rw_file_perms;
 
-- 
GitLab