CHROMIUM: cgroups: relax permissions on moving tasks between cgroups Android expects system_server to be able to move tasks between different cgroups/cpusets, but does not want to be running as root. Let's relax permission check so that processes can move other tasks if they have CAP_SYS_NICE in the affected task's user namespace. BUG=b:31790445,chromium:647994 TEST=Boot android container, examine logcat Change-Id: Ia919c66ab6ed6a6daf7c4cf67feb38b13b1ad09b Signed-off-by: Dmitry Torokhov <dtor@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/394927 Reviewed-by: Ricky Zhou <rickyz@chromium.org> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

commit: d1a3cc4aaf802d906201a224f4f34e65079e5f04 [log] [tgz]
author: Dmitry Torokhov <dtor@chromium.org> Thu Oct 06 16:14:16 2016 -0700
committer: Amit Pundir <amit.pundir@linaro.org> Sat Oct 29 13:54:22 2016 +0800
tree: 967fbb47bf90afb2c14ff2ec0c189b6e8f9f2c2d
parent: b50d89d5045027f1fc7dc4cc52a3f1aefeeb2533 [diff]
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 4c9a7eb..111f24d 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c

@@ -2675,7 +2675,8 @@
 	 */
 	if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
 			!uid_eq(cred->euid, tcred->uid) &&
-			!uid_eq(cred->euid, tcred->suid))
+			!uid_eq(cred->euid, tcred->suid) &&
+			!ns_capable(tcred->user_ns, CAP_SYS_NICE))
 			ret = -EACCES;
 
 	if (!ret && cgroup_on_dfl(dst_cgrp)) {
commit	d1a3cc4aaf802d906201a224f4f34e65079e5f04	[log] [tgz]
author	Dmitry Torokhov <dtor@chromium.org>	Thu Oct 06 16:14:16 2016 -0700
committer	Amit Pundir <amit.pundir@linaro.org>	Sat Oct 29 13:54:22 2016 +0800
tree	967fbb47bf90afb2c14ff2ec0c189b6e8f9f2c2d
parent	b50d89d5045027f1fc7dc4cc52a3f1aefeeb2533 [diff]