am57xevm: sepolicy: Add cgroup permissions for init

Generic init.rc contains the commands for creating cgroup nodes, for example: mkdir /dev/memcg 0700 root system mount cgroup none /dev/memcg memory but generic sepolicies don't contain accorded rules. Also generic zygote .rc files contain commands for PID writing to process list in cgroup nodes. These commands can require the creating permission. Were added the creating permissions for 'init' and 'zygote' processes. Signed-off-by: Ruslan Trofymenko <ruslan.trofymenko@linaro.org>
author: Ruslan Trofymenko <ruslan.trofymenko@linaro.org> 2018-08-10 23:27:21 +0000
committer: Praneeth Bajjuri <praneeth@ti.com> 2018-08-10 15:04:48 -0500
commit: 5f182cb7e5c0066ae027c46cec5bef890fc263b0 (patch)
tree: 02a8f2c92caadbaf93be30a7b66c0dcdd7a35e4b
parent: 7622d03b60fefd099fad3ff1bbda337b7fbb973b (diff)
download: am57xevm-5f182cb7e5c0066ae027c46cec5bef890fc263b0.tar.gz
2 files changed, 4 insertions, 0 deletions
diff --git a/sepolicy/init.te b/sepolicy/init.te
index e66ebcc..c7109d5 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -14,3 +14,6 @@ dontaudit init self:capability dac_read_search;
 
 type proc_cpu_alignment, fs_type, sysfs_type;
 allow init proc_cpu_alignment:file { open write };
+
+# For cgroups creating (init.rc)
+allow init cgroup:file create;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
index 05f7616..ed4f36b 100644
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@@ -1 +1,2 @@
 dontaudit zygote self:capability dac_read_search;
+allow zygote cgroup:file create;
author	Ruslan Trofymenko <ruslan.trofymenko@linaro.org>	2018-08-10 23:27:21 +0000
committer	Praneeth Bajjuri <praneeth@ti.com>	2018-08-10 15:04:48 -0500
commit	5f182cb7e5c0066ae027c46cec5bef890fc263b0 (patch)
tree	02a8f2c92caadbaf93be30a7b66c0dcdd7a35e4b
parent	7622d03b60fefd099fad3ff1bbda337b7fbb973b (diff)
download	am57xevm-5f182cb7e5c0066ae027c46cec5bef890fc263b0.tar.gz