Skip to content
Snippets Groups Projects
  • Tom Cherry's avatar
    Add getpgid to system_service and init · d5f0aba0
    Tom Cherry authored
    In libprocessgroup, we want to only send signals once to processes,
    particularly for SIGTERM.  We must send the signal both to all
    processes within a POSIX process group and a cgroup.  To ensure that
    we do not duplicate the signals being sent, we check the processes in
    the cgroup to see if they're in the POSIX process groups that we're
    killing.  If they are, we skip sending a second signal.  This requires
    getpgid permissions, hence this SELinux change.
    
    avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
    avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
    avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
    avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
    avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
    avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
    avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
    avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
    
    Bug: 37853905
    Bug: 62418791
    Test: Boot, kill zygote, reboot
    Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
    (cherry picked from commit c59eb4d8)
    d5f0aba0