From caca97a573a84aef55140a35f47728a7bc20e88e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sun, 9 Jul 2017 22:17:15 -0700
Subject: [PATCH] domain_deprecated: remove cgroup access

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62
(cherry picked from commit 7fc2b564ce2af2b5f27739a2d9bbb535814fc89e)
---
 private/domain_deprecated.te | 41 ------------------------------------
 1 file changed, 41 deletions(-)

diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 437e459fc..5a3226e6a 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -112,7 +112,6 @@ auditallow {
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, cgroup)
 
 userdebug_or_eng(`
 auditallow {
@@ -170,44 +169,4 @@ auditallow {
   -ueventd
   -vold
 } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:file { getattr read ioctl }; # open and lock granted to domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dumpstate
-  -fingerprintd
-  -healthd
-  -inputflinger
-  -installd
-  -keystore
-  -netd
-  -surfaceflinger
-  -system_server
-  -zygote
-} cgroup:lnk_file r_file_perms;
 ')
-- 
GitLab