tizen: Do not try to read /proc/1/cgroup from unprivileged processes

In Tizen access to /proc/1 is restricted via Smack. However, there are
unprivileged functions that need to work with information from this dir.
This function caches cgroup information in /run, allowing system-wide
access to this information.

Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I2a2977400c7917804599cfb6f225dab897dc8b14

diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 8d39318..91fa96a 100644 (file)
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -1226,15 +1226,12 @@ int cg_get_root_path(char **path) {
 
         assert(path);
 
-        r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 1, &p);
-        if (r == -EACCES) {
-                /* /proc/1/cgroup might not be accessible due
-                 * to security policy - assume sane default */
-                p = strdup("/");
-                if (!p)
-                        return -ENOMEM;
-        } else if (r < 0)
-                return r;
+        r = read_one_line_file(XCACHE_CGROUP_ROOT, &p);
+        if (r < 0) {
+                r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 1, &p);
+                if (r < 0)
+                        return r;
+        }
 
         e = endswith(p, "/" SPECIAL_INIT_SCOPE);
         if (!e)

diff --git a/src/basic/special.h b/src/basic/special.h
index 084d3df..872c56f 100644 (file)
--- a/src/basic/special.h
+++ b/src/basic/special.h
@@ -117,3 +117,6 @@
 
 /* The scope unit systemd itself lives in. */
 #define SPECIAL_INIT_SCOPE "init.scope"
+
+
+#define XCACHE_CGROUP_ROOT "/run/systemd/x-cache-cgroup-root"

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index c19e43f..e622656 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -33,6 +33,8 @@
 #include "string-table.h"
 #include "string-util.h"
 #include "stdio-util.h"
+#include "umask-util.h"
+#include "smack-util.h"
 
 #define CGROUP_CPU_QUOTA_PERIOD_USEC ((usec_t) 100 * USEC_PER_MSEC)
 
@@ -1629,6 +1631,14 @@ int manager_setup_cgroup(Manager *m) {
          * versions where PID 1 was moved there. Also see
          * cg_get_root_path(). */
         if (!e && MANAGER_IS_SYSTEM(m)) {
+                /* Cache pid's 1 cgroup for unpriviledged clients.
+                   Needed as /proc/1/.. is inaccessible due to Smack privs */
+                RUN_WITH_UMASK(0022) {
+                        r = write_string_file(XCACHE_CGROUP_ROOT, m->cgroup_root, WRITE_STRING_FILE_CREATE);
+                }
+                if (r >= 0)
+                        mac_smack_apply(XCACHE_CGROUP_ROOT, SMACK_ATTR_ACCESS, "_");
+
                 e = endswith(m->cgroup_root, "/" SPECIAL_SYSTEM_SLICE);
                 if (!e)
                         e = endswith(m->cgroup_root, "/system"); /* even more legacy */