sepolicy changes to configure cgroup.rc and task_profiles.json access

cgroups.json file contains cgroup information required to mount cgroup controllers and is readable only by init process. cgroup.rc contains cgroup map information consisting of the list of cgroups available in the system and their mounting locations. It is created by init process and should be readable by any processes that uses cgroups and should be writable only by init process. task_profiles.json file contains task profiles used to operate on cgroups. This information should be readable by any process that uses cgroups and should be writable only by init process. Bug: 111307099 Test: builds, boots Change-Id: Ib2c87c0fc3663c7fc69628f05c846519b65948b5 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-01-10 17:10:31 -08:00 · 2019-01-10 17:10:31 -08:00 · dbd438c239
commit dbd438c239
parent 34b50ee563
6 changed files with 27 additions and 0 deletions
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -23,6 +23,8 @@
    biometric_service
    bpf_progs_loaded_prop
    bugreport_service
+    cgroup_desc_file
+    cgroup_rc_file
    content_capture_service
    content_suggestions_service
    cpu_variant_prop
@ -108,6 +110,7 @@
    system_lmk_prop
    system_suspend_hwservice
    staging_data_file
+    task_profiles_file
    testharness_service
    test_harness_prop
    time_prop
--- a/private/domain.te
+++ b/private/domain.te
@ -29,6 +29,10 @@ allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;

+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`
@ -188,3 +192,10 @@ neverallow {
    -exec_type
    -postinstall_file
 }:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+  domain
+  -init
+  -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -93,6 +93,7 @@
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)?  u:object_r:cgroup_rc_file:s0
 /dev/fscklogs(/.*)?	u:object_r:fscklogs:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
@ -295,6 +296,7 @@
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
 /system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
 /system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
@ -309,6 +311,7 @@
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json  u:object_r:task_profiles_file:s0
 /system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
--- a/public/domain.te
+++ b/public/domain.te
@ -1051,6 +1051,7 @@ full_treble_only(`
    -system_seccomp_policy_file
    -system_security_cacerts_file
    -system_zoneinfo_file
+    -task_profiles_file
    userdebug_or_eng(`-tcpdump_exec')
  }:file *;
 ')
--- a/public/file.te
+++ b/public/file.te
@ -157,6 +157,10 @@ type system_security_cacerts_file, system_file_type, file_type;
 type tcpdump_exec, system_file_type, exec_type, file_type;
 # Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
 type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;

 # Default type for directories search for
 # HAL implementations
@ -196,6 +200,8 @@ type dev_cpu_variant, file_type;
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
 # /cores for coredumps on userdebug / eng builds
 type coredump_file, file_type;
 # Default type for anything under /data.
@ -452,6 +458,7 @@ type vndservice_contexts_file, file_type;
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
 allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow file_type labeledfs:filesystem associate;
--- a/public/init.te
+++ b/public/init.te
@ -107,6 +107,8 @@ allow init tmpfs:dir create_dir_perms;
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;

 # /config
 allow init configfs:dir mounton;