From 72b265473e3d3ef034e4ce8d73528675e163bdbd Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sun, 9 Jul 2017 22:17:15 -0700
Subject: [PATCH] domain_deprecated: remove cgroup access

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62
---
 public/domain_deprecated.te | 29 -----------------------------
 1 file changed, 29 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index e6760c94f..7cfbdff04 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -122,7 +122,6 @@ auditallow {
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
 
 userdebug_or_eng(`
 auditallow {
@@ -185,32 +184,4 @@ auditallow {
   -ueventd
   -vold
 } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:dir r_dir_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:{ file lnk_file } r_file_perms;
 ')
-- 
GitLab