snapuserd: sepolicy for setting task-profiles
Post OTA reboot, snapshot-merge threads will be run in the background cgroup so that they don't run on big cores. Hence, use SetTaskProfiles() API to move the thread to the relavant cgroup. When setting SetTaskProfile API, /dev/cpuset/background/tasks path is accessed which requires process to be in system group. Use setgid to move the task to system group. Bug: 311233916 Test: OTA on Pixel 6 - Verify that merge threads are not run on big cores Change-Id: Ie4921910985292b0b05f4ffc70b0d08ad9e4a662 Signed-off-by: Akilesh Kailash <akailash@google.com>
This commit is contained in:
Akilesh Kailash
parent
24d52ac42a
commit
047bc6669f
1 changed files with 3 additions and 0 deletions
|
|
@ -33,6 +33,9 @@ allow snapuserd dm_user_device:chr_file rw_file_perms;
|
|||
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
|
||||
allow snapuserd snapuserd_proxy_socket:sock_file write;
|
||||
|
||||
# Required for setting GID to system while calling SetTaskProfile() API
|
||||
allow snapuserd self:global_capability_class_set { setgid };
|
||||
|
||||
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
|
||||
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
|
||||
# again, the descriptor leaks into the new process.
|
||||
|
|
|
|||
Loading…
Reference in a new issue