Add a wrapper binary that configures the process and executes a command.

artd needs to configure the child process before it executes a command.
However, this cannot be done between `fork` and `exec` because artd is a
multi-threaded program, and doing things between `fork` and `exec` has a
risk of deadlock. The wrapper binary is a workaround to this problem.

Bug: 229268202
Test: adb shell pm art optimize-package -m speed-profile -f \
        com.google.android.youtube
Test: atest art_standalone_libarttools_tests
Test: art/tools/run-gtests.sh \
        /apex/com.android.art/bin/art/x86_64/art_libarttools_tests
Test: atest ArtGtestsTargetChroot:ArtExecTest
Ignore-AOSP-First: ART Services.
Change-Id: Ifa32518afcb3802e2c9b893e9b4afba2f19572ba
diff --git a/build/apex/Android.bp b/build/apex/Android.bp
index 80acd81..d40f512 100644
--- a/build/apex/Android.bp
+++ b/build/apex/Android.bp
@@ -270,6 +270,7 @@
         "libartservice",
     ],
     binaries: [
+        "art_exec",
         "artd",
     ],
     multilib: {
diff --git a/build/apex/art_apex_test.py b/build/apex/art_apex_test.py
index 1813913..efb4c3f 100755
--- a/build/apex/art_apex_test.py
+++ b/build/apex/art_apex_test.py
@@ -549,6 +549,7 @@
     # removed in Android R.
 
     # Check binaries for ART.
+    self._checker.check_executable('art_exec')
     self._checker.check_executable('artd')
     self._checker.check_executable('oatdump')
     self._checker.check_executable("odrefresh")
diff --git a/libarttools/Android.bp b/libarttools/Android.bp
index 6746c8e..5353285 100644
--- a/libarttools/Android.bp
+++ b/libarttools/Android.bp
@@ -49,6 +49,7 @@
 art_cc_defaults {
     name: "art_libarttools_tests_defaults",
     srcs: [
+        "tools/art_exec_test.cc",
         "tools/cmdline_builder_test.cc",
         "tools/system_properties_test.cc",
         "tools/tools_test.cc",
@@ -81,3 +82,38 @@
         "art_libarttools_tests_defaults",
     ],
 }
+
+// A defaults that contains libprocessgroup and all its dependencies.
+cc_defaults {
+    name: "art_libprocessgroup_defaults",
+    shared_libs: [
+        "libbase",
+        "libcgrouprc",
+    ],
+    static_libs: [
+        "libjsoncpp",
+        "libprocessgroup",
+    ],
+}
+
+cc_binary {
+    name: "art_exec",
+    defaults: [
+        "art_defaults",
+        "art_libprocessgroup_defaults",
+    ],
+    srcs: [
+        "tools/art_exec.cc",
+    ],
+    shared_libs: [
+        "libartbase",
+        "libbase",
+    ],
+    static_libs: [
+        "libcap",
+    ],
+    apex_available: [
+        "com.android.art",
+        "com.android.art.debug",
+    ],
+}
diff --git a/libarttools/tools/art_exec.cc b/libarttools/tools/art_exec.cc
new file mode 100644
index 0000000..48dadb5
--- /dev/null
+++ b/libarttools/tools/art_exec.cc
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <sys/capability.h>
+#include <sys/resource.h>
+#include <unistd.h>
+
+#include <iostream>
+#include <iterator>
+#include <optional>
+#include <string>
+#include <string_view>
+#include <vector>
+
+#include "android-base/logging.h"
+#include "android-base/result.h"
+#include "android-base/strings.h"
+#include "base/macros.h"
+#include "base/scoped_cap.h"
+#include "processgroup/processgroup.h"
+#include "system/thread_defs.h"
+
+namespace {
+
+using ::android::base::ConsumePrefix;
+using ::android::base::Join;
+using ::android::base::Result;
+using ::android::base::Split;
+
+constexpr const char* kUsage =
+    R"(A wrapper binary that configures the process and executes a command.
+
+Usage: art_exec [OPTIONS]... -- [COMMAND]...
+
+Supported options:
+  --help: Print this text.
+  --set-task-profile=PROFILES: Apply a set of task profiles (see
+      https://source.android.com/devices/tech/perf/cgroups). Requires root access. PROFILES can be a
+      comma-separated list of task profile names.
+  --set-priority=PRIORITY: Apply the process priority. Currently, the only supported value of
+      PRIORITY is "background".
+  --drop-capabilities: Drop all root capabilities. Note that this has effect only if `art_exec` runs
+      with some root capabilities but not as the root user.
+)";
+
+constexpr int kErrorUsage = 100;
+constexpr int kErrorOther = 101;
+
+struct Options {
+  int command_pos = -1;
+  std::vector<std::string> task_profiles;
+  std::optional<int> priority = std::nullopt;
+  bool drop_capabilities = false;
+};
+
+[[noreturn]] void Usage(const std::string& error_msg) {
+  LOG(ERROR) << error_msg;
+  std::cerr << error_msg << "\n" << kUsage << "\n";
+  exit(kErrorUsage);
+}
+
+Options ParseOptions(int argc, char** argv) {
+  Options options;
+  for (int i = 1; i < argc; i++) {
+    std::string_view arg = argv[i];
+    if (arg == "--help") {
+      std::cerr << kUsage << "\n";
+      exit(0);
+    } else if (ConsumePrefix(&arg, "--set-task-profile=")) {
+      options.task_profiles = Split(std::string(arg), ",");
+      if (options.task_profiles.empty()) {
+        Usage("Empty task profile list");
+      }
+    } else if (ConsumePrefix(&arg, "--set-priority=")) {
+      if (arg == "background") {
+        options.priority = ANDROID_PRIORITY_BACKGROUND;
+      } else {
+        Usage("Unknown priority " + std::string(arg));
+      }
+    } else if (arg == "--drop-capabilities") {
+      options.drop_capabilities = true;
+    } else if (arg == "--") {
+      if (i + 1 >= argc) {
+        Usage("Missing command after '--'");
+      }
+      options.command_pos = i + 1;
+      return options;
+    } else {
+      Usage("Unknown option " + std::string(arg));
+    }
+  }
+  Usage("Missing '--'");
+}
+
+Result<void> DropInheritableCaps() {
+  art::ScopedCap cap(cap_get_proc());
+  if (cap.Get() == nullptr) {
+    return ErrnoErrorf("Failed to call cap_get_proc");
+  }
+  if (cap_clear_flag(cap.Get(), CAP_INHERITABLE) != 0) {
+    return ErrnoErrorf("Failed to call cap_clear_flag");
+  }
+  if (cap_set_proc(cap.Get()) != 0) {
+    return ErrnoErrorf("Failed to call cap_set_proc");
+  }
+  return {};
+}
+
+}  // namespace
+
+int main(int argc, char** argv) {
+  android::base::InitLogging(argv);
+
+  Options options = ParseOptions(argc, argv);
+
+  if (!options.task_profiles.empty()) {
+    if (!SetTaskProfiles(/*tid=*/0, options.task_profiles)) {
+      LOG(ERROR) << "Failed to set task profile";
+      return kErrorOther;
+    }
+  }
+
+  if (options.priority.has_value()) {
+    if (setpriority(PRIO_PROCESS, /*who=*/0, options.priority.value()) != 0) {
+      PLOG(ERROR) << "Failed to setpriority";
+      return kErrorOther;
+    }
+  }
+
+  if (options.drop_capabilities) {
+    if (auto result = DropInheritableCaps(); !result.ok()) {
+      LOG(ERROR) << "Failed to drop inheritable capabilities: " << result.error();
+      return kErrorOther;
+    }
+  }
+
+  execv(argv[options.command_pos], argv + options.command_pos);
+
+  std::vector<const char*> command_args(argv + options.command_pos, argv + argc);
+  PLOG(FATAL) << "Failed to execute (" << Join(command_args, ' ') << ")";
+  UNREACHABLE();
+}
diff --git a/libarttools/tools/art_exec_test.cc b/libarttools/tools/art_exec_test.cc
new file mode 100644
index 0000000..ca55393
--- /dev/null
+++ b/libarttools/tools/art_exec_test.cc
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <sys/capability.h>
+#include <sys/resource.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <csignal>
+#include <filesystem>
+#include <functional>
+#include <string>
+#include <utility>
+
+#include "android-base/file.h"
+#include "android-base/logging.h"
+#include "android-base/scopeguard.h"
+#include "base/common_art_test.h"
+#include "base/file_utils.h"
+#include "base/globals.h"
+#include "base/macros.h"
+#include "base/os.h"
+#include "base/scoped_cap.h"
+#include "exec_utils.h"
+#include "fmt/format.h"
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+#include "system/thread_defs.h"
+
+namespace art {
+namespace {
+
+using ::android::base::make_scope_guard;
+using ::android::base::ScopeGuard;
+using ::testing::HasSubstr;
+
+// clang-tidy incorrectly complaints about the using declaration while the user-defined literal is
+// actually being used.
+using ::fmt::literals::operator""_format;  // NOLINT
+
+constexpr uid_t kRoot = 0;
+constexpr uid_t kNobody = 9999;
+
+std::string GetArtBin(const std::string& name) { return "{}/bin/{}"_format(GetArtRoot(), name); }
+
+std::string GetBin(const std::string& name) { return "{}/bin/{}"_format(GetAndroidRoot(), name); }
+
+// Executes the command, waits for it to finish, and keeps it in a waitable state until the current
+// scope exits.
+std::pair<pid_t, ScopeGuard<std::function<void()>>> ScopedExecAndWait(
+    std::vector<std::string>& args) {
+  std::vector<char*> execv_args;
+  execv_args.reserve(args.size() + 1);
+  for (std::string& arg : args) {
+    execv_args.push_back(arg.data());
+  }
+  execv_args.push_back(nullptr);
+
+  pid_t pid = fork();
+  if (pid == 0) {
+    execv(execv_args[0], execv_args.data());
+    UNREACHABLE();
+  } else if (pid > 0) {
+    siginfo_t info;
+    CHECK_EQ(TEMP_FAILURE_RETRY(waitid(P_PID, pid, &info, WEXITED | WNOWAIT)), 0);
+    CHECK_EQ(info.si_code, CLD_EXITED);
+    CHECK_EQ(info.si_status, 0);
+    std::function<void()> cleanup([=] {
+      siginfo_t info;
+      CHECK_EQ(TEMP_FAILURE_RETRY(waitid(P_PID, pid, &info, WEXITED)), 0);
+    });
+    return std::make_pair(pid, make_scope_guard(std::move(cleanup)));
+  } else {
+    LOG(FATAL) << "Failed to call fork";
+    UNREACHABLE();
+  }
+}
+
+// Grants the current process the given root capability.
+void SetCap(cap_flag_t flag, cap_value_t value) {
+  ScopedCap cap(cap_get_proc());
+  CHECK_NE(cap.Get(), nullptr);
+  cap_value_t caps[]{value};
+  CHECK_EQ(cap_set_flag(cap.Get(), flag, /*ncap=*/1, caps, CAP_SET), 0);
+  CHECK_EQ(cap_set_proc(cap.Get()), 0);
+}
+
+// Returns true if the given process has the given root capability.
+bool GetCap(pid_t pid, cap_flag_t flag, cap_value_t value) {
+  ScopedCap cap(cap_get_pid(pid));
+  CHECK_NE(cap.Get(), nullptr);
+  cap_flag_value_t flag_value;
+  CHECK_EQ(cap_get_flag(cap.Get(), value, flag, &flag_value), 0);
+  return flag_value == CAP_SET;
+}
+
+class ArtExecTest : public testing::Test {
+ protected:
+  void SetUp() override {
+    testing::Test::SetUp();
+    if (!kIsTargetAndroid) {
+      GTEST_SKIP() << "art_exec is for device only";
+    }
+    if (getuid() != kRoot) {
+      GTEST_SKIP() << "art_exec requires root";
+    }
+    art_exec_bin_ = GetArtBin("art_exec");
+  }
+
+  std::string art_exec_bin_;
+};
+
+TEST_F(ArtExecTest, Command) {
+  std::string error_msg;
+  int ret = ExecAndReturnCode({art_exec_bin_, "--", GetBin("sh"), "-c", "exit 123"}, &error_msg);
+  ASSERT_EQ(ret, 123) << error_msg;
+}
+
+TEST_F(ArtExecTest, SetTaskProfiles) {
+  std::string filename = "/data/local/tmp/art-exec-test-XXXXXX";
+  ScratchFile scratch_file(new File(mkstemp(filename.data()), filename, /*check_usage=*/false));
+  ASSERT_GE(scratch_file.GetFd(), 0);
+
+  std::vector<std::string> args{art_exec_bin_,
+                                "--set-task-profile=Dex2oatPerformance",
+                                "--",
+                                GetBin("sh"),
+                                "-c",
+                                "cat /proc/self/cgroup > " + filename};
+  auto [pid, scope_guard] = ScopedExecAndWait(args);
+  std::string cgroup;
+  ASSERT_TRUE(android::base::ReadFileToString(filename, &cgroup));
+  EXPECT_THAT(cgroup, HasSubstr(":cpu:/dex2oat\n"));
+}
+
+TEST_F(ArtExecTest, SetPriority) {
+  std::vector<std::string> args{art_exec_bin_, "--set-priority=background", "--", GetBin("true")};
+  auto [pid, scope_guard] = ScopedExecAndWait(args);
+  EXPECT_EQ(getpriority(PRIO_PROCESS, pid), ANDROID_PRIORITY_BACKGROUND);
+}
+
+TEST_F(ArtExecTest, DropCapabilities) {
+  // Switch to a non-root user, but still keep the CAP_FOWNER capability available and inheritable.
+  // The order of the following calls matters.
+  CHECK_EQ(cap_setuid(kNobody), 0);
+  SetCap(CAP_INHERITABLE, CAP_FOWNER);
+  SetCap(CAP_EFFECTIVE, CAP_FOWNER);
+  ASSERT_EQ(cap_set_ambient(CAP_FOWNER, CAP_SET), 0);
+
+  // Make sure the test is set up correctly (i.e., the child process should normally have the
+  // inherited root capability: CAP_FOWNER).
+  {
+    std::vector<std::string> args{art_exec_bin_, "--", GetBin("true")};
+    auto [pid, scope_guard] = ScopedExecAndWait(args);
+    ASSERT_TRUE(GetCap(pid, CAP_EFFECTIVE, CAP_FOWNER));
+  }
+
+  {
+    std::vector<std::string> args{art_exec_bin_, "--drop-capabilities", "--", GetBin("true")};
+    auto [pid, scope_guard] = ScopedExecAndWait(args);
+    EXPECT_FALSE(GetCap(pid, CAP_EFFECTIVE, CAP_FOWNER));
+  }
+}
+
+}  // namespace
+}  // namespace art