init: put UE into its own net_cls cgroup
This patch puts update_engine into its own net_cls cgroup, and assigns
handle 1:1 to this cgroup, so that we can match the packets from
update_engine using iptables.
BUG=b:167479541
TEST=able to match egress packets from update_engine using:
`iptables -t mangle -A OUTPUT -m cgroup --cgroup 0x10001`
Cq-Depend: chromium:2388542
Change-Id: Id9c3ced473430a27f9719f0bd3fd727e9b1d0ea2
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2387886
Tested-by: Jie Jiang <jiejiang@chromium.org>
Commit-Queue: Jie Jiang <jiejiang@chromium.org>
Reviewed-by: Amin Hassani <ahassani@chromium.org>
diff --git a/init/update-engine.conf b/init/update-engine.conf
index ca54c4a..36c89d7 100644
--- a/init/update-engine.conf
+++ b/init/update-engine.conf
@@ -37,7 +37,17 @@
# Put update_engine process in its own cgroup.
# Default cpu.shares is 1024.
post-start script
- cgroup_dir="/sys/fs/cgroup/cpu/${UPSTART_JOB}"
- mkdir -p "${cgroup_dir}"
- echo $(status | cut -f 4 -d ' ') > "${cgroup_dir}/tasks"
+ pid=$(status | cut -f 4 -d ' ')
+
+ cgroup_cpu_dir="/sys/fs/cgroup/cpu/${UPSTART_JOB}"
+ mkdir -p "${cgroup_cpu_dir}"
+ echo ${pid} > "${cgroup_cpu_dir}/tasks"
+
+ # Assigns net_cls handle 1:1 to packets generated from update_engine. For
+ # routing and tagging purposes, that value will be redefined in
+ # patchpanel/routing_service.h .
+ cgroup_net_cls_dir="/sys/fs/cgroup/net_cls/${UPSTART_JOB}"
+ mkdir -p "${cgroup_net_cls_dir}"
+ echo ${pid} > "${cgroup_net_cls_dir}/tasks"
+ echo "0x10001" > "${cgroup_net_cls_dir}/net_cls.classid"
end script