am fb69c2e2: Merge "init.rc: setup qtaguid group ownership of ctrl and stat files"
* commit 'fb69c2e2577e056bb7a054343a9f6d781cedbf3d':
init.rc: setup qtaguid group ownership of ctrl and stat files
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 1a671f5..871a1f7 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -120,6 +120,12 @@
write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000
write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000
+# qtaguid will limit access to specific data based on group memberships.
+# net_bw_acct grants impersonation of socket owners.
+# net_bw_stats grants access to other apps' detailed tagged-socket stats.
+ chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
+ chown root net_bw_stats /proc/net/xt_qtaguid/stats
+
# Allow everybody to read the xt_qtaguid resource tracking misc dev.
# This is needed by any process that uses socket tagging.
chmod 0644 /dev/xt_qtaguid