sepolicy support for cgroup v2

cgroup v2 is going to be used for freezer v2 support. The cgroup v2 hiearchy
will be mounted by init under /sys/fs/cgroup hence proper access rights
are necessary for sysfs. After mounting, the cgroup v2 kernfs will use
the label cgroup_v2 and system_manager will handle the freezer

Bug: 154548692
Test: verified that the freezer works as expected after applying this patch

Change-Id: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960
Merged-In: Idfb3f6e77b60dad032d1e306d2f9b58cd5775960

Author: nadinsylaa

prebuilts/api/30.0/private/compat/29.0/29.0.cil

@@ -1,5 +1,6 @@
 ;; types removed from current policy
 (type ashmemd)
+(type cgroup_bpf)
 (type hal_wifi_offload_hwservice)
 (type install_recovery)
 (type install_recovery_exec)

prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil

@@ -29,6 +29,7 @@
     boringssl_self_test
     bq_config_prop
     cacheinfo_service
+    cgroup_v2
     charger_prop
     cold_boot_done_prop
     credstore

prebuilts/api/30.0/private/genfs_contexts

@@ -103,7 +103,7 @@ genfscon fusectl / u:object_r:fusectlfs:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0

prebuilts/api/30.0/private/system_server.te

@@ -893,6 +893,8 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)

prebuilts/api/30.0/public/file.te

@@ -77,7 +77,7 @@ type proc_zoneinfo, fs_type, proc_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type fusectlfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
-type cgroup_bpf, fs_type;
+type cgroup_v2, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
@@ -523,7 +523,7 @@ type vndservice_contexts_file, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
-allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;

prebuilts/api/30.0/public/init.te

@@ -96,7 +96,7 @@ allow init {
     postinstall_mnt_dir
     mirror_data_file
 }:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_v2:dir { mounton create_dir_perms };
 
 # Mount bpf fs on sys/fs/bpf
 allow init fs_bpf:dir mounton;

prebuilts/api/30.0/public/netd.te

@@ -60,7 +60,7 @@ allow netd sysfs_net:file w_file_perms;
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
 
-r_dir_file(netd, cgroup_bpf)
+r_dir_file(netd, cgroup_v2)
 
 allow netd fs_bpf:dir search;
 allow netd fs_bpf:file { read write };

private/compat/29.0/29.0.cil

@@ -1,5 +1,6 @@
 ;; types removed from current policy
 (type ashmemd)
+(type cgroup_bpf)
 (type hal_wifi_offload_hwservice)
 (type install_recovery)
 (type install_recovery_exec)

private/compat/29.0/29.0.ignore.cil

@@ -29,6 +29,7 @@
     boringssl_self_test
     bq_config_prop
     cacheinfo_service
+    cgroup_v2
     charger_prop
     cold_boot_done_prop
     credstore

private/genfs_contexts

@@ -103,7 +103,7 @@ genfscon fusectl / u:object_r:fusectlfs:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0

private/system_server.te

@@ -893,6 +893,8 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)

public/file.te

@@ -77,7 +77,7 @@ type proc_zoneinfo, fs_type, proc_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type fusectlfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
-type cgroup_bpf, fs_type;
+type cgroup_v2, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
@@ -523,7 +523,7 @@ type vndservice_contexts_file, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
-allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;

public/init.te

@@ -96,7 +96,7 @@ allow init {
     postinstall_mnt_dir
     mirror_data_file
 }:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_v2:dir { mounton create_dir_perms };
 
 # Mount bpf fs on sys/fs/bpf
 allow init fs_bpf:dir mounton;

public/netd.te

@@ -60,7 +60,7 @@ allow netd sysfs_net:file w_file_perms;
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
 
-r_dir_file(netd, cgroup_bpf)
+r_dir_file(netd, cgroup_v2)
 
 allow netd fs_bpf:dir search;
 allow netd fs_bpf:file { read write };