summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2015-11-09 20:05:22 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>2015-11-09 20:05:22 +0000
commit2d8f1d4c478b9d921730d3fc9b290315e2ff9f04 (patch)
tree074514fa305f467b1bb08a464078f2e5536fd89a
parent892f0e93007dc912f18a09fd281c73adf762277a (diff)
parentc39ba5ae32afb6329d42e61d2941d87ff66d92e3 (diff)
Merge "Enable hidepid=2 on /proc"
-rw-r--r--adb/daemon/main.cpp4
-rw-r--r--debuggerd/debuggerd.rc1
-rw-r--r--debuggerd/debuggerd64.rc1
-rw-r--r--include/private/android_filesystem_config.h2
-rw-r--r--init/init.cpp3
-rw-r--r--lmkd/lmkd.rc1
-rw-r--r--logd/logd.rc2
-rw-r--r--logd/main.cpp4
-rw-r--r--rootdir/init.rc2
9 files changed, 15 insertions, 5 deletions
diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp
index 8c3ca63c8..b8d758f10 100644
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@@ -142,9 +142,11 @@ int adbd_main(int server_port) {
// AID_SDCARD_R to allow reading from the SD card
// AID_SDCARD_RW to allow writing to the SD card
// AID_NET_BW_STATS to read out qtaguid statistics
+ // AID_READPROC for reading /proc entries across UID boundaries
gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT,
AID_INET, AID_NET_BT, AID_NET_BT_ADMIN,
- AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS};
+ AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS,
+ AID_READPROC };
if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) {
PLOG(FATAL) << "Could not set supplental groups";
}
diff --git a/debuggerd/debuggerd.rc b/debuggerd/debuggerd.rc
index 4be2e5d08..e43fe96cf 100644
--- a/debuggerd/debuggerd.rc
+++ b/debuggerd/debuggerd.rc
@@ -1,3 +1,4 @@
service debuggerd /system/bin/debuggerd
class main
+ group root readproc
writepid /dev/cpuset/system-background/tasks
diff --git a/debuggerd/debuggerd64.rc b/debuggerd/debuggerd64.rc
index c6e7bf2a5..35b5af35c 100644
--- a/debuggerd/debuggerd64.rc
+++ b/debuggerd/debuggerd64.rc
@@ -1,3 +1,4 @@
service debuggerd64 /system/bin/debuggerd64
class main
+ group root readproc
writepid /dev/cpuset/system-background/tasks
diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h
index c7eb34b01..e2133e905 100644
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h
@@ -101,6 +101,7 @@
#define AID_NET_BW_STATS 3006 /* read bandwidth statistics */
#define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */
#define AID_NET_BT_STACK 3008 /* bluetooth: access config files */
+#define AID_READPROC 3009 /* Allow /proc read access */
/* The range 5000-5999 is also reserved for OEM, and must never be used here. */
#define AID_OEM_RESERVED_2_START 5000
@@ -191,6 +192,7 @@ static const struct android_id_info android_ids[] = {
{ "net_bw_stats", AID_NET_BW_STATS, },
{ "net_bw_acct", AID_NET_BW_ACCT, },
{ "net_bt_stack", AID_NET_BT_STACK, },
+ { "readproc", AID_READPROC, },
{ "everybody", AID_EVERYBODY, },
{ "misc", AID_MISC, },
diff --git a/init/init.cpp b/init/init.cpp
index 605674b15..86aed9ac7 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -546,7 +546,8 @@ int main(int argc, char** argv) {
mkdir("/dev/pts", 0755);
mkdir("/dev/socket", 0755);
mount("devpts", "/dev/pts", "devpts", 0, NULL);
- mount("proc", "/proc", "proc", 0, NULL);
+ #define MAKE_STR(x) __STRING(x)
+ mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
mount("sysfs", "/sys", "sysfs", 0, NULL);
}
diff --git a/lmkd/lmkd.rc b/lmkd/lmkd.rc
index 7d6cb11ba..3bb84abf6 100644
--- a/lmkd/lmkd.rc
+++ b/lmkd/lmkd.rc
@@ -1,5 +1,6 @@
service lmkd /system/bin/lmkd
class core
+ group root readproc
critical
socket lmkd seqpacket 0660 system system
writepid /dev/cpuset/system-background/tasks
diff --git a/logd/logd.rc b/logd/logd.rc
index ecd2f0acf..10f35536f 100644
--- a/logd/logd.rc
+++ b/logd/logd.rc
@@ -3,7 +3,7 @@ service logd /system/bin/logd
socket logd stream 0666 logd logd
socket logdr seqpacket 0666 logd logd
socket logdw dgram 0222 logd logd
- group root system
+ group root system readproc
writepid /dev/cpuset/system-background/tasks
service logd-reinit /system/bin/logd --reinit
diff --git a/logd/main.cpp b/logd/main.cpp
index ad577d203..8e75b37a0 100644
--- a/logd/main.cpp
+++ b/logd/main.cpp
@@ -106,7 +106,9 @@ static int drop_privs() {
return -1;
}
- if (setgroups(0, NULL) == -1) {
+ gid_t groups[] = { AID_READPROC };
+
+ if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) {
return -1;
}
diff --git a/rootdir/init.rc b/rootdir/init.rc
index b80c45469..17e87da70 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -556,7 +556,7 @@ service console /system/bin/sh
console
disabled
user shell
- group shell log
+ group shell log readproc
seclabel u:r:shell:s0
on property:ro.debuggable=1