summaryrefslogtreecommitdiff
path: root/include/private/android_filesystem_config.h
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2014-06-08 15:14:42 -0700
committerNick Kralevich <nnk@google.com>2014-06-08 15:14:42 -0700
commitc3df8d756291b5258c21335e1266efb941fd7d0a (patch)
treee054504d6b554f4abbcce509c91f645faed2453a /include/private/android_filesystem_config.h
parent3013615077bbf1ccedaef59181f5e96062ad479a (diff)
Make su 04750
Currently, /system/xbin/su is world executable. Prior to SELinux enforcement, anyone (including third party apps) could run su. The su code itself checks to see if the calling UID is root or shell. Rather than relying on enforcement within the su binary, modify the binary so it has group=shell, and remove world-execute permission. This helps avoid some annoying SELinux denial messages as third party apps call su on userdebug/eng builds. Change-Id: I61c9231bb7e201d14ee3a5b6fe81b3fa7b12599f
Diffstat (limited to 'include/private/android_filesystem_config.h')
-rw-r--r--include/private/android_filesystem_config.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h
index 03b3506de..d8e938ea1 100644
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h
@@ -244,7 +244,7 @@ static const struct fs_path_config android_files[] = {
/* the following five files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
- { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" },
+ { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/librank" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procrank" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },