Re: [PATCH v5] cgroup: Add new capability to allow a process to migrate other tasks between cgroups

From: John Stultz
Date: Mon Dec 12 2016 - 20:40:56 EST

On Mon, Dec 12, 2016 at 5:39 PM, John Stultz <john.stultz@xxxxxxxxxx> wrote:
> This patch adds CAP_GROUP_MIGRATE and logic to allows a process
> to migrate other tasks between cgroups.
> In Android (where this feature originated), the ActivityManager
> tracks various application states (TOP_APP, FOREGROUND,
> BACKGROUND, SYSTEM, etc), and then as applications change
> states, the SchedPolicy logic will migrate the application tasks
> between different cgroups used to control the different
> application states (for example, there is a background cpuset
> cgroup which can limit background tasks to stay on one low-power
> cpu, and the bg_non_interactive cpuctrl cgroup can then further
> limit those background tasks to a small percentage of that one
> cpu's cpu time).
> However, for security reasons, Android doesn't want to make the
> system_server (the process that runs the ActivityManager and
> SchedPolicy logic), run as root. So in the Android common.git
> kernel, they have some logic to allow cgroups to loosen their
> permissions so CAP_SYS_NICE tasks can migrate other tasks between
> cgroups.
> I feel the approach taken there overloads CAP_SYS_NICE a bit much
> for non-android environments. Efforts to re-use CAP_SYS_RESOURCE
> for this purpose (which Android has since adopted) was also
> stymied by concerns about risks from future cgroups that could be
> considered "dangerous" by how they might change system semantics.
> So to avoid overlapping usage, this patch adds a brand new
> process capability flag (CAP_CGROUP_MIGRATE), and uses it when
> checking if a task can migrate other tasks between cgroups.
> I've tested this with AOSP master (though its a bit hacked in as
> I still need to properly get the selinux bits aware of the new
> capability bit) with selinux set to permissive and it seems to be
> working well.
> Thoughts and feedback would be appreciated!
After sending this I just realized that this is changed enough I
should probably remove Serge's Acked-by here. Apologies.

But otherwise feedback on this would be appreciated!