memcg: Allow non-root users permission to control memory

In a system like Android, a process with SYS_ADMIN rights
controls the system for things like moving process from
one cgroup to another. The native cgroup capabilities
are only allowed to execute by root user and not system.
While adding a new cgroup sub-system, one may override
and relax the permission so that 'system' can also control
cgroup. Here, memcg is one such cgroup sub system which
requires system level control for that.

Allow non-root processes to add arbitrary into 'memory'
cgroups if it has 'CAP_SYS_ADMIN' capability set.

Change-Id: I43d4468186f142c176cb5b5f060751bb1b160344
Signed-off-by: Chintan Pandya <cpandya@codeaurora.org>

1 files changed, 18 insertions, 0 deletions

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 6bcb096fd..b843aeeb3 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -7000,6 +7000,23 @@ static void mem_cgroup_move_task(struct cgroup *cont,
 }
 #endif
 
+static int mem_cgroup_allow_attach(struct cgroup *cgrp,
+				 struct cgroup_taskset *tset)
+{
+	const struct cred *cred = current_cred(), *tcred;
+	struct task_struct *task;
+
+	cgroup_taskset_for_each(task, cgrp, tset) {
+		tcred = __task_cred(task);
+
+		if ((current != task) && !capable(CAP_SYS_ADMIN) &&
+		    cred->euid != tcred->uid && cred->euid != tcred->suid)
+			return -EACCES;
+	}
+
+	return 0;
+}
+
 /*
  * Cgroup retains root cgroups across [un]mount cycles making it necessary
  * to verify sane_behavior flag on each mount attempt.
@@ -7025,6 +7042,7 @@ struct cgroup_subsys mem_cgroup_subsys = {
 	.can_attach = mem_cgroup_can_attach,
 	.cancel_attach = mem_cgroup_cancel_attach,
 	.attach = mem_cgroup_move_task,
+	.allow_attach = mem_cgroup_allow_attach,
 	.bind = mem_cgroup_bind,
 	.base_cftypes = mem_cgroup_files,
 	.disabled = 1,	/* Disable it for performance workaround */