private · 9899568f6c4dd740ef2b6c213726ca5945514e77 · CodeLinaro / public-release-test / platform / system / sepolicy

Tri Vo authored 6 years ago

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b

9899568f

Name	Last commit	Last update
..
compat
access_vectors
adbd.te
apexd.te
app.te
app_neverallows.te
asan_extract.te
atrace.te
audioserver.te
binder_in_vendor_violators.te
binderservicedomain.te
blank_screen.te
blkid.te
blkid_untrusted.te
bluetooth.te
bluetoothdomain.te
bootanim.te
bootstat.te
bpfloader.te
bufferhubd.te
bug_map
cameraserver.te
charger.te
clatd.te
coredomain.te
cppreopts.te
crash_dump.te
dex2oat.te
dexoptanalyzer.te
dhcp.te
dnsmasq.te
domain.te
drmserver.te
dumpstate.te
ephemeral_app.te
fastbootd.te
file.te
file_contexts
file_contexts_asan
file_contexts_overlayfs
fingerprintd.te
fs_use
fsck.te
fsck_untrusted.te
gatekeeperd.te
genfs_contexts
hal_allocator_default.te
hal_system_suspend_default.te
halclientdomain.te
halserverdomain.te
healthd.te
hwservice_contexts
hwservicemanager.te
idmap.te
incident.te
incident_helper.te
incidentd.te
init.te
initial_sid_contexts
initial_sids
inputflinger.te
install_recovery.te
installd.te
iorapd.te
isolated_app.te
kernel.te
keys.conf
keystore.te
llkd.te
lmkd.te
logd.te
logpersist.te
mac_permissions.xml
mdnsd.te
mediadrmserver.te
mediaextractor.te
mediametrics.te
mediaprovider.te
mediaserver.te
mls
mls_decl
mls_macros
modprobe.te
mtp.te
net.te
netd.te
netutils_wrapper.te
nfc.te
otapreopt_chroot.te
otapreopt_slot.te
perfetto.te
performanced.te
perfprofd.te
platform_app.te
policy_capabilities
port_contexts
postinstall.te
postinstall_dexopt.te
ppp.te
preopt2cachename.te