From cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 10 Oct 2018 04:25:17 +0000
Subject: [PATCH] Revert "Constrain cgroups access."

This reverts commit 9899568f6c4dd740ef2b6c213726ca5945514e77.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0
---
 private/app_neverallows.te |  3 ---
 private/priv_app.te        |  3 ---
 private/system_app.te      |  3 ---
 public/app.te              |  4 ++++
 public/domain.te           | 14 +++-----------
 public/init.te             |  2 +-
 public/vendor_init.te      |  1 -
 7 files changed, 8 insertions(+), 22 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1e824046b..344ecd544 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -274,6 +274,3 @@ neverallow all_untrusted_apps mediaextractor_update_service:service_manager find
 # This will go away in a future Android release
 neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
 neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
-
-# Untrusted apps are not allowed to use cgroups.
-neverallow all_untrusted_apps cgroup:file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index 192221db0..e12cce765 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -218,6 +218,3 @@ neverallow priv_app file_type:file link;
 # upon traceur to pass a file descriptor which they can then read
 neverallow priv_app trace_data_file:dir *;
 neverallow priv_app trace_data_file:file { no_w_file_perms open };
-
-# Do not allow priv_app access to cgroups.
-neverallow priv_app cgroup:file *;
diff --git a/private/system_app.te b/private/system_app.te
index 4bfcc18f4..40fec6acf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -122,9 +122,6 @@ allow system_app {
   proc_version
 }:file r_file_perms;
 
-# Settings app writes to /dev/stune/foreground/tasks.
-allow system_app cgroup:file w_file_perms;
-
 control_logd(system_app)
 read_runtime_log_tags(system_app)
 get_prop(system_app, device_logging_prop)
diff --git a/public/app.te b/public/app.te
index 800e891b4..5a8215211 100644
--- a/public/app.te
+++ b/public/app.te
@@ -22,6 +22,10 @@ allow appdomain zygote_exec:file rx_file_perms;
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
+# Place process into foreground / background
+allow appdomain cgroup:dir { search write };
+allow appdomain cgroup:file rw_file_perms;
+
 # Read /data/dalvik-cache.
 allow appdomain dalvikcache_data_file:dir { search getattr };
 allow appdomain dalvikcache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 2eb2e15a8..16cc09884 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -258,17 +258,9 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { coredomain -appdomain } cgroup:dir w_dir_perms;
-allow { coredomain -appdomain } cgroup:file w_file_perms;
-# TODO(b/110043362): Clean up cgroup access from non-system domains.
-allow { domain -coredomain } cgroup:file w_file_perms;
-auditallow {
-  domain
-  -coredomain
-  -vendor_init
-} cgroup:file w_file_perms;
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
 
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
diff --git a/public/init.te b/public/init.te
index 31fa79733..18d11b6c6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -93,7 +93,7 @@ allow init sysfs:dir mounton;
 allow init tmpfs:dir create_dir_perms;
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
+r_dir_file(init, cgroup)
 allow init cpuctl_device:dir { create mounton };
 
 # /config
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b6502d234..dfd4d8fa8 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -15,7 +15,6 @@ allow vendor_init rootfs:lnk_file { create unlink };
 
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
-allow vendor_init cgroup:file w_file_perms;
 
 # /config
 allow vendor_init configfs:dir mounton;
-- 
GitLab