domain_deprecated: remove cgroup access

Logs indicate that all processes that require read access have already been granted it. Bug: 28760354 Test: build policy Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62 Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

domain_deprecated: remove cgroup access
72b26547 · Jeff Vander Stoep · Jeffrey Vander Stoep · 790f4c7e · 72b26547
Commit 72b26547 authored 7 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 7 years ago
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -122,7 +122,6 @@ auditallow {
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
 userdebug_or_eng(`
 auditallow {
@@ -185,32 +184,4 @@ auditallow {
  -ueventd
  -vold
 } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:{ file lnk_file } r_file_perms;
 ')