diff options
author | Ruslan Trofymenko <ruslan.trofymenko@linaro.org> | 2018-08-10 23:27:21 +0000 |
---|---|---|
committer | Praneeth Bajjuri <praneeth@ti.com> | 2018-08-10 15:04:48 -0500 |
commit | 5f182cb7e5c0066ae027c46cec5bef890fc263b0 (patch) | |
tree | 02a8f2c92caadbaf93be30a7b66c0dcdd7a35e4b | |
parent | 7622d03b60fefd099fad3ff1bbda337b7fbb973b (diff) | |
download | am57xevm-5f182cb7e5c0066ae027c46cec5bef890fc263b0.tar.gz |
am57xevm: sepolicy: Add cgroup permissions for init
Generic init.rc contains the commands for creating cgroup nodes, for
example:
mkdir /dev/memcg 0700 root system
mount cgroup none /dev/memcg memory
but generic sepolicies don't contain accorded rules.
Also generic zygote .rc files contain commands for PID writing to
process list in cgroup nodes. These commands can require the creating
permission.
Were added the creating permissions for 'init' and 'zygote' processes.
Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
-rw-r--r-- | sepolicy/init.te | 3 | ||||
-rw-r--r-- | sepolicy/zygote.te | 1 |
2 files changed, 4 insertions, 0 deletions
diff --git a/sepolicy/init.te b/sepolicy/init.te index e66ebcc..c7109d5 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -14,3 +14,6 @@ dontaudit init self:capability dac_read_search; type proc_cpu_alignment, fs_type, sysfs_type; allow init proc_cpu_alignment:file { open write }; + +# For cgroups creating (init.rc) +allow init cgroup:file create; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te index 05f7616..ed4f36b 100644 --- a/sepolicy/zygote.te +++ b/sepolicy/zygote.te @@ -1 +1,2 @@ dontaudit zygote self:capability dac_read_search; +allow zygote cgroup:file create; |