From 623b56af5da59fb57abcb2d984762669c82f57e9 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Mon, 8 Feb 2016 11:42:25 +0100
Subject: [PATCH] Fix libprocessgroup SELinux denials.

libprocessgroup checks whether it can use memory
cgroups for keeping track of forked processes by
seeing whether /dev/memcg/apps is writable. However,
on systems with memory cgroups disabled, SELinux
(correctly) no longer classifies this directory as a cgroup,
and starts denying zygote access. To fix this,
first check whether /dev/memcg/apps/tasks exists to
see if the cgroup is mounted; only then check whether
we can write to the directory.

Bug: 27046965
Change-Id: I6e44cd62d8c396e20ceb162c50606b3e86f2cb3e
---
 libprocessgroup/processgroup.cpp | 6 +++++-
 rootdir/init.rc                  | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/libprocessgroup/processgroup.cpp b/libprocessgroup/processgroup.cpp
index f160ac17d..5ab957d86 100644
--- a/libprocessgroup/processgroup.cpp
+++ b/libprocessgroup/processgroup.cpp
@@ -38,6 +38,7 @@
 #include <processgroup/processgroup.h>
 
 #define MEM_CGROUP_PATH "/dev/memcg/apps"
+#define MEM_CGROUP_TASKS "/dev/memcg/apps/tasks"
 #define ACCT_CGROUP_PATH "/acct"
 
 #define PROCESSGROUP_UID_PREFIX "uid_"
@@ -68,7 +69,10 @@ struct ctx {
 static const char* getCgroupRootPath() {
     static const char* cgroup_root_path = NULL;
     std::call_once(init_path_flag, [&]() {
-            cgroup_root_path = access(MEM_CGROUP_PATH, W_OK) ? ACCT_CGROUP_PATH : MEM_CGROUP_PATH;
+            // Check if mem cgroup is mounted, only then check for write-access to avoid
+            // SELinux denials
+            cgroup_root_path = access(MEM_CGROUP_TASKS, F_OK) || access(MEM_CGROUP_PATH, W_OK) ?
+                    ACCT_CGROUP_PATH : MEM_CGROUP_PATH;
             });
     return cgroup_root_path;
 }
diff --git a/rootdir/init.rc b/rootdir/init.rc
index e2ffe5db0..faae48efb 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -85,7 +85,7 @@ on init
     # root memory control cgroup, used by lmkd
     mkdir /dev/memcg 0700 root system
     mount cgroup none /dev/memcg memory
-    # app mem cgroups, used by activity manager and lmkd
+    # app mem cgroups, used by activity manager, lmkd and zygote
     mkdir /dev/memcg/apps/ 0755 system system
 
     write /proc/sys/kernel/panic_on_oops 1