sepolicy: system_server: fix webview sandbox cgroup access
When running webview, the following denials are observed:
avc: denied { create } for comm="ActivityManager" name="uid_99000" scontext=u:r:system_server:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=1
avc: denied { setattr } for comm="ActivityManager" name="uid_99000" dev="cgroup" ino=7908 scontext=u:r:system_server:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=1
avc: denied { setattr } for comm="ActivityManager" name="cgroup.procs" dev="cgroup" ino=7909 scontext=u:r:system_server:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=1
avc: denied { setattr } for comm="ActivityManager" name="memory.use_hierarchy" dev="cgroup" ino=7920 scontext=u:r:system_server:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=1
This result in a webview crash, which triggers a zygote restart.
These denials have been fixed in aosp/master already via [1] and [2]. Since we don't want to patch AOSP, apply a similar fix.
[1] https://android-review.googlesource.com/c/platform/system/sepolicy/+/2689227 [2] https://android-review.googlesource.com/c/platform/system/sepolicy/+/2636345 Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com