Drop supplementary groups for child zygotes.
Child zygotes like Webview zygote and App zygote are created with an
empty supplementary group list; this was intended to drop all groups,
but instead we don't call setgroups() at all, which means that these
child zygotes are run with the same groups as the parent zygotes.
Currently those groups are AID_READPROC and AID_RESERVED_DISK, and the
child zygotes should need neither: AID_READPROC is only used for
wrapping with the wrap.com.packagename sysprop, which doesn't really
make sense for child zygotes. AID_RESERVED_DISK shouldn't be needed
because child zygotes and their children are not critical, and therefore
shouldn't be able to use reserved disk space.
Remove the groups by explicitly call setgroups(0, NULL); for child
zygotes.
Bug: 156741968
Test: observe /proc/zygote_pid/status, notice groups are empty
Test: atest CtsExternalServiceTestCases
Change-Id: I4ee43a8bb9d86ff6f620437fb290481365a9e988
(cherry picked from commit 5a45262741f6410a61bec59a41b4229e349a00b7)
1 file changed
