summaryrefslogtreecommitdiff
path: root/include/private/android_filesystem_config.h
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2015-11-07 16:52:17 -0800
committerNick Kralevich <nnk@google.com>2015-11-09 09:08:46 -0800
commitc39ba5ae32afb6329d42e61d2941d87ff66d92e3 (patch)
treea5fca3ab71e1856a75e995c1d8ec81dc55bd56e1 /include/private/android_filesystem_config.h
parent54b5e85373619a838641d276a840caad284b09b3 (diff)
Enable hidepid=2 on /proc
Add the following mount options to the /proc filesystem: hidepid=2,gid=3009 This change blocks /proc access unless you're in group 3009 (aka AID_READPROC). Please see https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt for documentation on the hidepid option. hidepid=2 is preferred over hidepid=1 since it leaks less information and doesn't generate SELinux ptrace denials when trying to access /proc without being in the proper group. Add AID_READPROC to processes which need to access /proc entries for other UIDs. Bug: 23310674 Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
Diffstat (limited to 'include/private/android_filesystem_config.h')
-rw-r--r--include/private/android_filesystem_config.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h
index c7eb34b01..e2133e905 100644
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h
@@ -101,6 +101,7 @@
#define AID_NET_BW_STATS 3006 /* read bandwidth statistics */
#define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */
#define AID_NET_BT_STACK 3008 /* bluetooth: access config files */
+#define AID_READPROC 3009 /* Allow /proc read access */
/* The range 5000-5999 is also reserved for OEM, and must never be used here. */
#define AID_OEM_RESERVED_2_START 5000
@@ -191,6 +192,7 @@ static const struct android_id_info android_ids[] = {
{ "net_bw_stats", AID_NET_BW_STATS, },
{ "net_bw_acct", AID_NET_BW_ACCT, },
{ "net_bt_stack", AID_NET_BT_STACK, },
+ { "readproc", AID_READPROC, },
{ "everybody", AID_EVERYBODY, },
{ "misc", AID_MISC, },