Commit 86e76eb7 authored Oct 06, 2016 by Dmitry Torokhov Committed by Amit Pundir Dec 18, 2017

CHROMIUM: cgroups: relax permissions on moving tasks between cgroups



Android expects system_server to be able to move tasks between different
cgroups/cpusets, but does not want to be running as root. Let's relax
permission check so that processes can move other tasks if they have
CAP_SYS_NICE in the affected task's user namespace.

BUG=b:31790445,chromium:647994
TEST=Boot android container, examine logcat

Change-Id: Ia919c66ab6ed6a6daf7c4cf67feb38b13b1ad09b
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/394927


Reviewed-by: Ricky Zhou <rickyz@chromium.org>

[AmitP: Refactored original changes to align with upstream commit
        201af4c0 ("cgroup: move cgroup files under kernel/cgroup/")]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

parent 4803def4

kernel/cgroup/cgroup-v1.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -537,7 +537,8 @@ static ssize_t __cgroup1_procs_write(struct kernfs_open_file *of,
		tcred = get_task_cred(task);
		if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
		!uid_eq(cred->euid, tcred->uid) &&
		!uid_eq(cred->euid, tcred->suid))
		!uid_eq(cred->euid, tcred->suid) &&
		!ns_capable(tcred->user_ns, CAP_SYS_NICE))
		ret = -EACCES;
		put_cred(tcred);
		if (ret)