Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 623b56af authored by Martijn Coenen's avatar Martijn Coenen
Browse files

Fix libprocessgroup SELinux denials. 

libprocessgroup checks whether it can use memory
cgroups for keeping track of forked processes by
seeing whether /dev/memcg/apps is writable. However,
on systems with memory cgroups disabled, SELinux
(correctly) no longer classifies this directory as a cgroup,
and starts denying zygote access. To fix this,
first check whether /dev/memcg/apps/tasks exists to
see if the cgroup is mounted; only then check whether
we can write to the directory.

Bug: 27046965
Change-Id: I6e44cd62d8c396e20ceb162c50606b3e86f2cb3e
parent 23419e39

libprocessgroup/processgroup.cpp

+5 −1
Original line number Diff line number Diff line
@@ -38,6 +38,7 @@ 
#include <processgroup/processgroup.h>



#define MEM_CGROUP_PATH "/dev/memcg/apps"

#define MEM_CGROUP_TASKS "/dev/memcg/apps/tasks"

#define ACCT_CGROUP_PATH "/acct"



#define PROCESSGROUP_UID_PREFIX "uid_"
@@ -68,7 +69,10 @@ struct ctx { 
static const char* getCgroupRootPath() {

    static const char* cgroup_root_path = NULL;

    std::call_once(init_path_flag, [&]() {

            cgroup_root_path = access(MEM_CGROUP_PATH, W_OK) ? ACCT_CGROUP_PATH : MEM_CGROUP_PATH;

            // Check if mem cgroup is mounted, only then check for write-access to avoid

            // SELinux denials

            cgroup_root_path = access(MEM_CGROUP_TASKS, F_OK) || access(MEM_CGROUP_PATH, W_OK) ?

                    ACCT_CGROUP_PATH : MEM_CGROUP_PATH;

            });

    return cgroup_root_path;

}

rootdir/init.rc

+1 −1
Original line number Diff line number Diff line
@@ -85,7 +85,7 @@ on init 
    # root memory control cgroup, used by lmkd

    mkdir /dev/memcg 0700 root system

    mount cgroup none /dev/memcg memory

    # app mem cgroups, used by activity manager and lmkd

    # app mem cgroups, used by activity manager, lmkd and zygote

    mkdir /dev/memcg/apps/ 0755 system system



    write /proc/sys/kernel/panic_on_oops 1