From 716260ac6b3659b5f24e9f4010df4b28ea3cca3c Mon Sep 17 00:00:00 2001
From: "T.J. Mercier" <tjmercier@google.com>
Date: Fri, 26 Apr 2024 18:28:28 +0000
Subject: [PATCH] Allow shell read access to cgroup state

at /proc/cgroups.

Test: adb shell cat /proc/cgroups
Bug: 335278695
Change-Id: I52773c63200a2a048a4c5497c338ddcbe0f23593
---
 private/compat/202404/202404.ignore.cil | 1 +
 private/compat/34.0/34.0.ignore.cil     | 1 +
 private/genfs_contexts                  | 1 +
 private/shell.te                        | 1 +
 public/file.te                          | 3 +++
 5 files changed, 7 insertions(+)

diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index a0a69f7ae..e65136ef9 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -10,4 +10,5 @@
     fs_bpf_lmkd_memevents_prog
     binderfs_logs_transactions
     proc_compaction_proactiveness
+    proc_cgroups
   ))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1477766a0..455cbff28 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -50,4 +50,5 @@
     aconfigd_exec
     aconfigd_socket
     enable_16k_pages_prop
+    proc_cgroups
   ))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index dd93f0437..118f8d997 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -5,6 +5,7 @@ genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
 genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cgroups u:object_r:proc_cgroups:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
diff --git a/private/shell.te b/private/shell.te
index 8adc71cf9..0fdbb7e8b 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -372,6 +372,7 @@ r_dir_file(shell, proc_net_type)
 
 allow shell {
   proc_asound
+  proc_cgroups
   proc_filesystems
   proc_interrupts
   proc_loadavg # b/124024827
diff --git a/public/file.te b/public/file.te
index e4c01a248..53b5c7a6f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -38,6 +38,9 @@ type proc_asound, fs_type, proc_type;
 type proc_bootconfig, fs_type, proc_type;
 type proc_bpf, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
+starting_at_board_api(202504, `
+    type proc_cgroups, fs_type, proc_type;
+')
 type proc_cmdline, fs_type, proc_type;
 type proc_cpu_alignment, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;