Merge "sepolicy: fix support for lmkd"

private/file_contexts

@@ -78,6 +78,7 @@
 /dev/cam		u:object_r:camera_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)?        u:object_r:memcg_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0

public/device.te

@@ -21,6 +21,7 @@ type rtc_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
+type memcg_device, dev_type;
 type fscklogs, dev_type;
 type full_device, dev_type;
 # GPU (used by most UI apps)

public/domain.te

@@ -226,6 +226,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 ### neverallow rules
 ###
 
+# Don't allow others to access memcg.
+neverallow { domain -init -lmkd -shell -ueventd } memcg_device:dir *;
+neverallow { domain -init -lmkd -ueventd } memcg_device:file *;
+
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 

public/init.te

@@ -77,6 +77,7 @@ allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 r_dir_file(init, cgroup)
 allow init cpuctl_device:dir { create mounton };
+allow init memcg_device:dir { create mounton };
 
 # /config
 allow init configfs:dir mounton;

public/lmkd.te

@@ -21,6 +21,9 @@ allow lmkd system_server:file write;
 r_dir_file(lmkd, sysfs_type)
 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
+allow lmkd memcg_device:dir search;
+allow lmkd memcg_device:file rw_file_perms;
+
 # Send kill signals
 allow lmkd appdomain:process sigkill;
 
@@ -32,6 +35,8 @@ allow lmkd self:capability sys_nice;
 
 allow lmkd proc_zoneinfo:file r_file_perms;
 
+r_dir_file(lmkd, cgroup)
+
 ### neverallow rules
 
 # never honor LD_PRELOAD