summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDmitry Torokhov <dtor@chromium.org>2016-10-06 16:14:16 -0700
committerJohn Stultz <john.stultz@linaro.org>2016-10-17 22:55:20 -0700
commit140cab831036741cac88255f282cd68b72140356 (patch)
tree981706e340fda4d48aa8e02ff1b8dda4ba2ccd75
parente78f134a78a0ae95b83ac0cac47ab0bb584ebaa7 (diff)
CHROMIUM: cgroups: relax permissions on moving tasks between cgroups
Android expects system_server to be able to move tasks between different cgroups/cpusets, but does not want to be running as root. Let's relax permission check so that processes can move other tasks if they have CAP_SYS_NICE in the affected task's user namespace. BUG=b:31790445,chromium:647994 TEST=Boot android container, examine logcat Change-Id: Ia919c66ab6ed6a6daf7c4cf67feb38b13b1ad09b Signed-off-by: Dmitry Torokhov <dtor@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/394927 Reviewed-by: Ricky Zhou <rickyz@chromium.org>
-rw-r--r--kernel/cgroup.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 371ee5a827e0..45c5e134d05b 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2677,7 +2677,8 @@ static int cgroup_procs_write_permission(struct task_struct *task,
*/
if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
!uid_eq(cred->euid, tcred->uid) &&
- !uid_eq(cred->euid, tcred->suid))
+ !uid_eq(cred->euid, tcred->suid) &&
+ !ns_capable(tcred->user_ns, CAP_SYS_NICE))
ret = -EACCES;
if (!ret && cgroup_on_dfl(dst_cgrp)) {