1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "libprocessgroup"
19 
20 #include <dirent.h>
21 #include <errno.h>
22 #include <fcntl.h>
23 #include <grp.h>
24 #include <pwd.h>
25 #include <sys/mman.h>
26 #include <sys/mount.h>
27 #include <sys/stat.h>
28 #include <sys/types.h>
29 #include <time.h>
30 #include <unistd.h>
31 
32 #include <optional>
33 
34 #include <android-base/file.h>
35 #include <android-base/logging.h>
36 #include <android-base/properties.h>
37 #include <android-base/stringprintf.h>
38 #include <android-base/unique_fd.h>
39 #include <android/cgrouprc.h>
40 #include <json/reader.h>
41 #include <json/value.h>
42 #include <processgroup/format/cgroup_file.h>
43 #include <processgroup/processgroup.h>
44 #include <processgroup/setup.h>
45 
46 #include "../build_flags.h"
47 #include "cgroup_descriptor.h"
48 
49 using android::base::GetUintProperty;
50 using android::base::StringPrintf;
51 using android::base::unique_fd;
52 
53 namespace android {
54 namespace cgrouprc {
55 
56 static constexpr const char* CGROUPS_DESC_FILE = "/etc/cgroups.json";
57 static constexpr const char* CGROUPS_DESC_VENDOR_FILE = "/vendor/etc/cgroups.json";
58 
59 static constexpr const char* TEMPLATE_CGROUPS_DESC_API_FILE = "/etc/task_profiles/cgroups_%u.json";
60 
61 static const std::string CGROUP_V2_ROOT_DEFAULT = "/sys/fs/cgroup";
62 
ChangeDirModeAndOwner(const std::string & path,mode_t mode,const std::string & uid,const std::string & gid,bool permissive_mode=false)63 static bool ChangeDirModeAndOwner(const std::string& path, mode_t mode, const std::string& uid,
64                                   const std::string& gid, bool permissive_mode = false) {
65     uid_t pw_uid = -1;
66     gid_t gr_gid = -1;
67 
68     if (!uid.empty()) {
69         passwd* uid_pwd = getpwnam(uid.c_str());
70         if (!uid_pwd) {
71             PLOG(ERROR) << "Unable to decode UID for '" << uid << "'";
72             return false;
73         }
74 
75         pw_uid = uid_pwd->pw_uid;
76         gr_gid = -1;
77 
78         if (!gid.empty()) {
79             group* gid_pwd = getgrnam(gid.c_str());
80             if (!gid_pwd) {
81                 PLOG(ERROR) << "Unable to decode GID for '" << gid << "'";
82                 return false;
83             }
84             gr_gid = gid_pwd->gr_gid;
85         }
86     }
87 
88     auto dir = std::unique_ptr<DIR, decltype(&closedir)>(opendir(path.c_str()), closedir);
89 
90     if (dir == NULL) {
91         PLOG(ERROR) << "opendir failed for " << path;
92         return false;
93     }
94 
95     struct dirent* dir_entry;
96     while ((dir_entry = readdir(dir.get()))) {
97         if (!strcmp("..", dir_entry->d_name)) {
98             continue;
99         }
100 
101         std::string file_path = path + "/" + dir_entry->d_name;
102 
103         if (pw_uid != -1 && lchown(file_path.c_str(), pw_uid, gr_gid) < 0) {
104             PLOG(ERROR) << "lchown() failed for " << file_path;
105             return false;
106         }
107 
108         if (fchmodat(AT_FDCWD, file_path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0 &&
109             (errno != EROFS || !permissive_mode)) {
110             PLOG(ERROR) << "fchmodat() failed for " << path;
111             return false;
112         }
113     }
114 
115     return true;
116 }
117 
Mkdir(const std::string & path,mode_t mode,const std::string & uid,const std::string & gid)118 static bool Mkdir(const std::string& path, mode_t mode, const std::string& uid,
119                   const std::string& gid) {
120     bool permissive_mode = false;
121 
122     if (mode == 0) {
123         /* Allow chmod to fail */
124         permissive_mode = true;
125         mode = 0755;
126     }
127 
128     if (mkdir(path.c_str(), mode) != 0) {
129         // /acct is a special case when the directory already exists
130         if (errno != EEXIST) {
131             PLOG(ERROR) << "mkdir() failed for " << path;
132             return false;
133         } else {
134             permissive_mode = true;
135         }
136     }
137 
138     if (uid.empty() && permissive_mode) {
139         return true;
140     }
141 
142     if (!ChangeDirModeAndOwner(path, mode, uid, gid, permissive_mode)) {
143         PLOG(ERROR) << "change of ownership or mode failed for " << path;
144         return false;
145     }
146 
147     return true;
148 }
149 
MergeCgroupToDescriptors(std::map<std::string,CgroupDescriptor> * descriptors,const Json::Value & cgroup,const std::string & name,const std::string & root_path,int cgroups_version)150 static void MergeCgroupToDescriptors(std::map<std::string, CgroupDescriptor>* descriptors,
151                                      const Json::Value& cgroup, const std::string& name,
152                                      const std::string& root_path, int cgroups_version) {
153     const std::string cgroup_path = cgroup["Path"].asString();
154     std::string path;
155 
156     if (!root_path.empty()) {
157         path = root_path;
158         if (cgroup_path != ".") {
159             path += "/";
160             path += cgroup_path;
161         }
162     } else {
163         path = cgroup_path;
164     }
165 
166     uint32_t controller_flags = 0;
167 
168     if (cgroup["NeedsActivation"].isBool() && cgroup["NeedsActivation"].asBool()) {
169         controller_flags |= CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION;
170     }
171 
172     if (cgroup["Optional"].isBool() && cgroup["Optional"].asBool()) {
173         controller_flags |= CGROUPRC_CONTROLLER_FLAG_OPTIONAL;
174     }
175 
176     CgroupDescriptor descriptor(
177             cgroups_version, name, path, std::strtoul(cgroup["Mode"].asString().c_str(), 0, 8),
178             cgroup["UID"].asString(), cgroup["GID"].asString(), controller_flags);
179 
180     auto iter = descriptors->find(name);
181     if (iter == descriptors->end()) {
182         descriptors->emplace(name, descriptor);
183     } else {
184         iter->second = descriptor;
185     }
186 }
187 
188 static const bool force_memcg_v2 = android::libprocessgroup_flags::force_memcg_v2();
189 
ReadDescriptorsFromFile(const std::string & file_name,std::map<std::string,CgroupDescriptor> * descriptors)190 static bool ReadDescriptorsFromFile(const std::string& file_name,
191                                     std::map<std::string, CgroupDescriptor>* descriptors) {
192     std::vector<CgroupDescriptor> result;
193     std::string json_doc;
194 
195     if (!android::base::ReadFileToString(file_name, &json_doc)) {
196         PLOG(ERROR) << "Failed to read task profiles from " << file_name;
197         return false;
198     }
199 
200     Json::CharReaderBuilder builder;
201     std::unique_ptr<Json::CharReader> reader(builder.newCharReader());
202     Json::Value root;
203     std::string errorMessage;
204     if (!reader->parse(&*json_doc.begin(), &*json_doc.end(), &root, &errorMessage)) {
205         LOG(ERROR) << "Failed to parse cgroups description: " << errorMessage;
206         return false;
207     }
208 
209     if (root.isMember("Cgroups")) {
210         const Json::Value& cgroups = root["Cgroups"];
211         for (Json::Value::ArrayIndex i = 0; i < cgroups.size(); ++i) {
212             std::string name = cgroups[i]["Controller"].asString();
213 
214             if (force_memcg_v2 && name == "memory") continue;
215 
216             MergeCgroupToDescriptors(descriptors, cgroups[i], name, "", 1);
217         }
218     }
219 
220     bool memcgv2_present = false;
221     std::string root_path;
222     if (root.isMember("Cgroups2")) {
223         const Json::Value& cgroups2 = root["Cgroups2"];
224         root_path = cgroups2["Path"].asString();
225         MergeCgroupToDescriptors(descriptors, cgroups2, CGROUPV2_HIERARCHY_NAME, "", 2);
226 
227         const Json::Value& childGroups = cgroups2["Controllers"];
228         for (Json::Value::ArrayIndex i = 0; i < childGroups.size(); ++i) {
229             std::string name = childGroups[i]["Controller"].asString();
230 
231             if (force_memcg_v2 && name == "memory") memcgv2_present = true;
232 
233             MergeCgroupToDescriptors(descriptors, childGroups[i], name, root_path, 2);
234         }
235     }
236 
237     if (force_memcg_v2 && !memcgv2_present) {
238         LOG(INFO) << "Forcing memcg to v2 hierarchy";
239         Json::Value memcgv2;
240         memcgv2["Controller"] = "memory";
241         memcgv2["NeedsActivation"] = true;
242         memcgv2["Path"] = ".";
243         memcgv2["Optional"] = true;  // In case of cgroup_disabled=memory, so we can still boot
244         MergeCgroupToDescriptors(descriptors, memcgv2, "memory",
245                                  root_path.empty() ? CGROUP_V2_ROOT_DEFAULT : root_path, 2);
246     }
247 
248     return true;
249 }
250 
ReadDescriptors(std::map<std::string,CgroupDescriptor> * descriptors)251 static bool ReadDescriptors(std::map<std::string, CgroupDescriptor>* descriptors) {
252     // load system cgroup descriptors
253     if (!ReadDescriptorsFromFile(CGROUPS_DESC_FILE, descriptors)) {
254         return false;
255     }
256 
257     // load API-level specific system cgroups descriptors if available
258     unsigned int api_level = GetUintProperty<unsigned int>("ro.product.first_api_level", 0);
259     if (api_level > 0) {
260         std::string api_cgroups_path =
261                 android::base::StringPrintf(TEMPLATE_CGROUPS_DESC_API_FILE, api_level);
262         if (!access(api_cgroups_path.c_str(), F_OK) || errno != ENOENT) {
263             if (!ReadDescriptorsFromFile(api_cgroups_path, descriptors)) {
264                 return false;
265             }
266         }
267     }
268 
269     // load vendor cgroup descriptors if the file exists
270     if (!access(CGROUPS_DESC_VENDOR_FILE, F_OK) &&
271         !ReadDescriptorsFromFile(CGROUPS_DESC_VENDOR_FILE, descriptors)) {
272         return false;
273     }
274 
275     return true;
276 }
277 
278 // To avoid issues in sdk_mac build
279 #if defined(__ANDROID__)
280 
IsOptionalController(const format::CgroupController * controller)281 static bool IsOptionalController(const format::CgroupController* controller) {
282     return controller->flags() & CGROUPRC_CONTROLLER_FLAG_OPTIONAL;
283 }
284 
MountV2CgroupController(const CgroupDescriptor & descriptor)285 static bool MountV2CgroupController(const CgroupDescriptor& descriptor) {
286     const format::CgroupController* controller = descriptor.controller();
287 
288     // /sys/fs/cgroup is created by cgroup2 with specific selinux permissions,
289     // try to create again in case the mount point is changed
290     if (!Mkdir(controller->path(), 0, "", "")) {
291         LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
292         return false;
293     }
294 
295     // The memory_recursiveprot mount option has been introduced by kernel commit
296     // 8a931f801340 ("mm: memcontrol: recursive memory.low protection"; v5.7). Try first to
297     // mount with that option enabled. If mounting fails because the kernel is too old,
298     // retry without that mount option.
299     if (mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
300               "memory_recursiveprot") < 0) {
301         LOG(INFO) << "Mounting memcg with memory_recursiveprot failed. Retrying without.";
302         if (mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
303                   nullptr) < 0) {
304             PLOG(ERROR) << "Failed to mount cgroup v2";
305             return IsOptionalController(controller);
306         }
307     }
308 
309     // selinux permissions change after mounting, so it's ok to change mode and owner now
310     if (!ChangeDirModeAndOwner(controller->path(), descriptor.mode(), descriptor.uid(),
311                                descriptor.gid())) {
312         PLOG(ERROR) << "Change of ownership or mode failed for controller " << controller->name();
313         return IsOptionalController(controller);
314     }
315 
316     return true;
317 }
318 
ActivateV2CgroupController(const CgroupDescriptor & descriptor)319 static bool ActivateV2CgroupController(const CgroupDescriptor& descriptor) {
320     const format::CgroupController* controller = descriptor.controller();
321 
322     if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
323         LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
324         return false;
325     }
326 
327     if (controller->flags() & CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION) {
328         std::string str = "+";
329         str += controller->name();
330         std::string path = controller->path();
331         path += "/cgroup.subtree_control";
332 
333         if (!base::WriteStringToFile(str, path)) {
334             if (IsOptionalController(controller)) {
335                 PLOG(INFO) << "Failed to activate optional controller " << controller->name()
336                            << " at " << path;
337                 return true;
338             }
339             PLOG(ERROR) << "Failed to activate controller " << controller->name();
340             return false;
341         }
342     }
343 
344     return true;
345 }
346 
MountV1CgroupController(const CgroupDescriptor & descriptor)347 static bool MountV1CgroupController(const CgroupDescriptor& descriptor) {
348     const format::CgroupController* controller = descriptor.controller();
349 
350     // mkdir <path> [mode] [owner] [group]
351     if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
352         LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
353         return false;
354     }
355 
356     // Unfortunately historically cpuset controller was mounted using a mount command
357     // different from all other controllers. This results in controller attributes not
358     // to be prepended with controller name. For example this way instead of
359     // /dev/cpuset/cpuset.cpus the attribute becomes /dev/cpuset/cpus which is what
360     // the system currently expects.
361     int res;
362     if (!strcmp(controller->name(), "cpuset")) {
363         // mount cpuset none /dev/cpuset nodev noexec nosuid
364         res = mount("none", controller->path(), controller->name(),
365                     MS_NODEV | MS_NOEXEC | MS_NOSUID, nullptr);
366     } else {
367         // mount cgroup none <path> nodev noexec nosuid <controller>
368         res = mount("none", controller->path(), "cgroup", MS_NODEV | MS_NOEXEC | MS_NOSUID,
369                     controller->name());
370     }
371     if (res != 0) {
372         if (IsOptionalController(controller)) {
373             PLOG(INFO) << "Failed to mount optional controller " << controller->name();
374             return true;
375         }
376         PLOG(ERROR) << "Failed to mount controller " << controller->name();
377         return false;
378     }
379     return true;
380 }
381 
SetupCgroup(const CgroupDescriptor & descriptor)382 static bool SetupCgroup(const CgroupDescriptor& descriptor) {
383     const format::CgroupController* controller = descriptor.controller();
384 
385     if (controller->version() == 2) {
386         if (!strcmp(controller->name(), CGROUPV2_HIERARCHY_NAME)) {
387             return MountV2CgroupController(descriptor);
388         } else {
389             return ActivateV2CgroupController(descriptor);
390         }
391     } else {
392         return MountV1CgroupController(descriptor);
393     }
394 }
395 
396 #else
397 
398 // Stubs for non-Android targets.
SetupCgroup(const CgroupDescriptor &)399 static bool SetupCgroup(const CgroupDescriptor&) {
400     return false;
401 }
402 
403 #endif
404 
WriteRcFile(const std::map<std::string,CgroupDescriptor> & descriptors)405 static bool WriteRcFile(const std::map<std::string, CgroupDescriptor>& descriptors) {
406     unique_fd fd(TEMP_FAILURE_RETRY(open(CGROUPS_RC_PATH, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC,
407                                          S_IRUSR | S_IRGRP | S_IROTH)));
408     if (fd < 0) {
409         PLOG(ERROR) << "open() failed for " << CGROUPS_RC_PATH;
410         return false;
411     }
412 
413     format::CgroupFile fl;
414     fl.version_ = format::CgroupFile::FILE_CURR_VERSION;
415     fl.controller_count_ = descriptors.size();
416     int ret = TEMP_FAILURE_RETRY(write(fd, &fl, sizeof(fl)));
417     if (ret < 0) {
418         PLOG(ERROR) << "write() failed for " << CGROUPS_RC_PATH;
419         return false;
420     }
421 
422     for (const auto& [name, descriptor] : descriptors) {
423         ret = TEMP_FAILURE_RETRY(
424                 write(fd, descriptor.controller(), sizeof(format::CgroupController)));
425         if (ret < 0) {
426             PLOG(ERROR) << "write() failed for " << CGROUPS_RC_PATH;
427             return false;
428         }
429     }
430 
431     return true;
432 }
433 
CgroupDescriptor(uint32_t version,const std::string & name,const std::string & path,mode_t mode,const std::string & uid,const std::string & gid,uint32_t flags=0)434 CgroupDescriptor::CgroupDescriptor(uint32_t version, const std::string& name,
435                                    const std::string& path, mode_t mode, const std::string& uid,
436                                    const std::string& gid, uint32_t flags = 0)
437     : controller_(version, flags, name, path), mode_(mode), uid_(uid), gid_(gid) {}
438 
set_mounted(bool mounted)439 void CgroupDescriptor::set_mounted(bool mounted) {
440     uint32_t flags = controller_.flags();
441     if (mounted) {
442         flags |= CGROUPRC_CONTROLLER_FLAG_MOUNTED;
443     } else {
444         flags &= ~CGROUPRC_CONTROLLER_FLAG_MOUNTED;
445     }
446     controller_.set_flags(flags);
447 }
448 
449 }  // namespace cgrouprc
450 }  // namespace android
451 
MGLRUDisabled()452 static std::optional<bool> MGLRUDisabled() {
453     const std::string file_name = "/sys/kernel/mm/lru_gen/enabled";
454     std::string content;
455     if (!android::base::ReadFileToString(file_name, &content)) {
456         PLOG(ERROR) << "Failed to read MGLRU state from " << file_name;
457         return {};
458     }
459 
460     return content == "0x0000";
461 }
462 
MEMCGDisabled(const std::map<std::string,android::cgrouprc::CgroupDescriptor> & descriptors)463 static std::optional<bool> MEMCGDisabled(
464         const std::map<std::string, android::cgrouprc::CgroupDescriptor>& descriptors) {
465     std::string cgroup_v2_root = android::cgrouprc::CGROUP_V2_ROOT_DEFAULT;
466     const auto it = descriptors.find(CGROUPV2_HIERARCHY_NAME);
467     if (it == descriptors.end()) {
468         LOG(WARNING) << "No Cgroups2 path found in cgroups.json. Vendor has modified Android, and "
469                      << "kernel memory use will be higher than intended.";
470     } else if (it->second.controller()->path() != cgroup_v2_root) {
471         cgroup_v2_root = it->second.controller()->path();
472     }
473 
474     const std::string file_name = cgroup_v2_root + "/cgroup.controllers";
475     std::string content;
476     if (!android::base::ReadFileToString(file_name, &content)) {
477         PLOG(ERROR) << "Failed to read cgroup controllers from " << file_name;
478         return {};
479     }
480 
481     // If we've forced memcg to v2 and it's not available, then it could only have been disabled
482     // on the kernel command line (GKI sets CONFIG_MEMCG).
483     return content.find("memory") == std::string::npos;
484 }
485 
CreateV2SubHierarchy(const std::string & path,const std::map<std::string,android::cgrouprc::CgroupDescriptor> & descriptors)486 static bool CreateV2SubHierarchy(
487         const std::string& path,
488         const std::map<std::string, android::cgrouprc::CgroupDescriptor>& descriptors) {
489     using namespace android::cgrouprc;
490 
491     const auto cgv2_iter = descriptors.find(CGROUPV2_HIERARCHY_NAME);
492     if (cgv2_iter == descriptors.end()) return false;
493     const android::cgrouprc::CgroupDescriptor cgv2_descriptor = cgv2_iter->second;
494 
495     if (!Mkdir(path, cgv2_descriptor.mode(), cgv2_descriptor.uid(), cgv2_descriptor.gid())) {
496         PLOG(ERROR) << "Failed to create directory for " << path;
497         return false;
498     }
499 
500     // Activate all v2 controllers in path so they can be activated in
501     // children as they are created.
502     for (const auto& [name, descriptor] : descriptors) {
503         const format::CgroupController* controller = descriptor.controller();
504         std::uint32_t flags = controller->flags();
505         if (controller->version() == 2 && name != CGROUPV2_HIERARCHY_NAME &&
506             flags & CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION) {
507             std::string str("+");
508             str += controller->name();
509             if (!android::base::WriteStringToFile(str, path + "/cgroup.subtree_control")) {
510                 if (flags & CGROUPRC_CONTROLLER_FLAG_OPTIONAL) {
511                     PLOG(WARNING) << "Activation of cgroup controller " << str << " failed in path "
512                                   << path;
513                 } else {
514                     return false;
515                 }
516             }
517         }
518     }
519     return true;
520 }
521 
CgroupSetup()522 bool CgroupSetup() {
523     using namespace android::cgrouprc;
524 
525     std::map<std::string, CgroupDescriptor> descriptors;
526 
527     if (getpid() != 1) {
528         LOG(ERROR) << "Cgroup setup can be done only by init process";
529         return false;
530     }
531 
532     // Make sure we do this only one time. No need for std::call_once because
533     // init is a single-threaded process
534     if (access(CGROUPS_RC_PATH, F_OK) == 0) {
535         LOG(WARNING) << "Attempt to call CgroupSetup() more than once";
536         return true;
537     }
538 
539     // load cgroups.json file
540     if (!ReadDescriptors(&descriptors)) {
541         LOG(ERROR) << "Failed to load cgroup description file";
542         return false;
543     }
544 
545     // setup cgroups
546     for (auto& [name, descriptor] : descriptors) {
547         if (SetupCgroup(descriptor)) {
548             descriptor.set_mounted(true);
549         } else {
550             // issue a warning and proceed with the next cgroup
551             LOG(WARNING) << "Failed to setup " << name << " cgroup";
552         }
553     }
554 
555     if (force_memcg_v2) {
556         if (MGLRUDisabled().value_or(false)) {
557             LOG(WARNING) << "Memcg forced to v2 hierarchy with MGLRU disabled! "
558                          << "Global reclaim performance will suffer.";
559         }
560         if (MEMCGDisabled(descriptors).value_or(false)) {
561             LOG(WARNING) << "Memcg forced to v2 hierarchy while memcg is disabled by kernel "
562                          << "command line!";
563         }
564     }
565 
566     // System / app isolation.
567     // This really belongs in early-init in init.rc, but we cannot use the flag there.
568     if (android::libprocessgroup_flags::cgroup_v2_sys_app_isolation()) {
569         const auto it = descriptors.find(CGROUPV2_HIERARCHY_NAME);
570         const std::string cgroup_v2_root = (it == descriptors.end())
571                                                    ? CGROUP_V2_ROOT_DEFAULT
572                                                    : it->second.controller()->path();
573 
574         LOG(INFO) << "Using system/app isolation under: " << cgroup_v2_root;
575         if (!CreateV2SubHierarchy(cgroup_v2_root + "/apps", descriptors) ||
576             !CreateV2SubHierarchy(cgroup_v2_root + "/system", descriptors)) {
577             return false;
578         }
579     }
580 
581     // mkdir <CGROUPS_RC_DIR> 0711 system system
582     if (!Mkdir(android::base::Dirname(CGROUPS_RC_PATH), 0711, "system", "system")) {
583         LOG(ERROR) << "Failed to create directory for " << CGROUPS_RC_PATH << " file";
584         return false;
585     }
586 
587     // Generate <CGROUPS_RC_FILE> file which can be directly mmapped into
588     // process memory. This optimizes performance, memory usage
589     // and limits infrormation shared with unprivileged processes
590     // to the minimum subset of information from cgroups.json
591     if (!WriteRcFile(descriptors)) {
592         LOG(ERROR) << "Failed to write " << CGROUPS_RC_PATH << " file";
593         return false;
594     }
595 
596     // chmod 0644 <CGROUPS_RC_PATH>
597     if (fchmodat(AT_FDCWD, CGROUPS_RC_PATH, 0644, AT_SYMLINK_NOFOLLOW) < 0) {
598         PLOG(ERROR) << "fchmodat() failed";
599         return false;
600     }
601 
602     return true;
603 }
604