From 6390b3f09066bc258e0dc09c73aaaf778239169b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= <tweek@google.com>
Date: Thu, 27 Jan 2022 15:17:02 +1100
Subject: [PATCH] Grant getpgid to system_server on zygote

Should system_server kill zygote on crashes, it will attempt to kill any
process in the same process group. This ensures that no untracked
children are left.

Bug: 216097542
Test: m selinux_policy
Change-Id: Ie16074f76e351d80d9f17be930a731f923f99835
---
 private/system_server.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/system_server.te b/private/system_server.te
index 6e108df9c..50d9dcc76 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -97,7 +97,7 @@ allow system_server {
   crash_dump
   webview_zygote
   zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
 
 # Read /system/bin/app_process.
 allow system_server zygote_exec:file r_file_perms;