Merge "sepolicy for vendor cgroups.json and task_profiles.json files"

2019-03-01 18:01:39 +00:00 · 2019-03-01 18:01:39 +00:00 · e3f15e2abc
commit e3f15e2abc
parent 45d73adc62 6155b2fd11
6 changed files with 11 additions and 0 deletions
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -123,8 +123,10 @@
    timezonedetector_service
    uri_grants_service
    use_memfd_prop
+    vendor_cgroup_desc_file
    vendor_idc_file
    vendor_keychars_file
    vendor_keylayout_file
+    vendor_task_profiles_file
    vrflinger_vsync_service
    watchdogd_tmpfs))
--- a/private/domain.te
+++ b/private/domain.te
@ -32,6 +32,7 @@ allow { domain -appdomain -rs } cgroup:file w_file_perms;
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;

 # Allow all domains to read sys.use_memfd to determine
 # if memfd support can be used if device supports it
--- a/private/file_contexts
+++ b/private/file_contexts
@ -336,6 +336,8 @@
 /(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/bin/toolbox            u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0

 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0

--- a/public/domain.te
+++ b/public/domain.te
@ -1037,6 +1037,7 @@ full_treble_only(`
    -vendor_keylayout_file
    -vendor_overlay_file
    -vendor_public_lib_file
+    -vendor_task_profiles_file
    -vndk_sp_file
  }:file *;
 ')
--- a/public/file.te
+++ b/public/file.te
@ -158,8 +158,12 @@ type tcpdump_exec, system_file_type, exec_type, file_type;
 type system_zoneinfo_file, system_file_type, file_type;
 # Cgroups description file under /system/etc/cgroups.json
 type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
 # Task profiles file under /system/etc/task_profiles.json
 type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;

 # Default type for directories search for
 # HAL implementations
--- a/public/init.te
+++ b/public/init.te
@ -109,6 +109,7 @@ allow init cgroup:dir create_dir_perms;
 allow init cgroup:file rw_file_perms;
 allow init cgroup_rc_file:file rw_file_perms;
 allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;

 # /config
 allow init configfs:dir mounton;