Re: [RFC][PATCH 0/2] Another pass at Android style loosening of cgroup attach permissions

[John Stultz]

On Tue, Oct 4, 2016 at 9:16 AM, Tejun Heo <tj@xxxxxxxxxx> wrote:
> On Mon, Oct 03, 2016 at 09:41:28PM -0700, John Stultz wrote:
>> The migration of a task from the foreground to background, or to
>> elevate a task to audio priority, may be done by system service that
>> does not run as root. So this patch allows processes with CAP_SYS_NICE
>> to be able to migrate tasks between cgroups.  I suspect if there was a
>> specific cap (CAP_SYS_CHANGE_CGROUP) for this, it would be usable here,
>> but in its absence, they've overloaded CAP_SYS_NICE for this use.
>
> CAP_SYS_RESOURCE won't do?
>
>> At first glance, overloading CAP_SYS_NICE seems a bit hackish, but this
>> shows that there is a active and widely deployed use for different cgroup
>> attachment rules then what is currently available.
>
> I'm curious who issues these migrations.

The system_server process via the sched_policy logic:
http://androidxref.com/7.0.0_r1/xref/system/core/libcutils/sched_policy.c#274

See set_cpuset_policy() and set_sched_policy().

> Is that restricted to
> certain uids?  If so, would it work for android if cgroupfs supports
> ACL so that those uids can be approved via setfacl?  That'd be an a
> lot more generic approach.

So tasks might move themselves in some cases to specific groups, but
mostly its controlled by the system_server.

So to make sure I understand your suggestion, you're suggesting the
cgroupfs files like:
cpuctrl/tasks,
cpuctrl/bg_non_interactive/tasks,
cpuset/foreground/tasks,
cpuset/background/tasks,
etc
use ACL permissions to specify the specific uids that can write to
them? I guess this would be conceptually similar to just setting the
owner to the system task, no?  Though I'm not sure that would be
sufficient since it would still fail the
cgroup_procs_write_permission() checks. Or are you suggesting we add
extra logic to make the file owner uid as sufficient to change other
tasks?

thanks
-john