memcg: add permission check

Use the 'allow_attach' handler for the 'mem' cgroup to allow
non-root processes to add arbitrary processes to a 'mem' cgroup
if it has the CAP_SYS_NICE capability set.

Bug: 18260435
Change-Id: If7d37bf90c1544024c4db53351adba6a64966250
Signed-off-by: Rom Lemarchand <romlem@android.com>

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 194721839cf5d303a0de2b4df611b700db895043..338d62a052009c0d6543fc0aa597e7fbaf7587a9 100644 (file)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -6753,6 +6753,12 @@ static int mem_cgroup_can_attach(struct cgroup *cgroup,
        return ret;
 }
 
+static int mem_cgroup_allow_attach(struct cgroup *cgroup,
+                                  struct cgroup_taskset *tset)
+{
+       return subsys_cgroup_allow_attach(cgroup, tset);
+}
+
 static void mem_cgroup_cancel_attach(struct cgroup *cgroup,
                                     struct cgroup_taskset *tset)
 {
@@ -6921,6 +6927,11 @@ static int mem_cgroup_can_attach(struct cgroup *cgroup,
 {
        return 0;
 }
+static int mem_cgroup_allow_attach(struct cgroup *cgroup,
+                                  struct cgroup_taskset *tset)
+{
+       return 0;
+}
 static void mem_cgroup_cancel_attach(struct cgroup *cgroup,
                                     struct cgroup_taskset *tset)
 {
@@ -6956,6 +6967,7 @@ struct cgroup_subsys mem_cgroup_subsys = {
        .can_attach = mem_cgroup_can_attach,
        .cancel_attach = mem_cgroup_cancel_attach,
        .attach = mem_cgroup_move_task,
+       .allow_attach = mem_cgroup_allow_attach,
        .bind = mem_cgroup_bind,
        .base_cftypes = mem_cgroup_files,
        .early_init = 0,