Merge "Allow shell read access to cgroup state" into main am: 77a8ac9ab4

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3044973 Change-Id: Iefb2518fb39c0cf0b67ca73c6f81ff1905b2323a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-04-30 21:15:58 +00:00 · 2024-04-30 21:15:58 +00:00 · 7e4f16b0f7
commit 7e4f16b0f7
parent b21b673267 77a8ac9ab4
5 changed files with 7 additions and 0 deletions
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@ -10,4 +10,5 @@
    fs_bpf_lmkd_memevents_prog
    binderfs_logs_transactions
    proc_compaction_proactiveness
+    proc_cgroups
  ))
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@ -50,4 +50,5 @@
    aconfigd_exec
    aconfigd_socket
    enable_16k_pages_prop
+    proc_cgroups
  ))
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@ -5,6 +5,7 @@ genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
 genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cgroups u:object_r:proc_cgroups:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
--- a/private/shell.te
+++ b/private/shell.te
@ -372,6 +372,7 @@ r_dir_file(shell, proc_net_type)

 allow shell {
  proc_asound
+  proc_cgroups
  proc_filesystems
  proc_interrupts
  proc_loadavg # b/124024827
--- a/public/file.te
+++ b/public/file.te
@ -38,6 +38,9 @@ type proc_asound, fs_type, proc_type;
 type proc_bootconfig, fs_type, proc_type;
 type proc_bpf, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
+starting_at_board_api(202504, `
+    type proc_cgroups, fs_type, proc_type;
+')
 type proc_cmdline, fs_type, proc_type;
 type proc_cpu_alignment, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;