ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Keystore 2.0: Add keystore2 to llkd ignore list.

Browse source 
Due to Keystore's handling of sensitive information we cannot allow
any other process ptrace privileges over Keystore. To silence SELinux
denials llkd must ignore the keystore process.

This CL adds keystore2 to the ignore list because it replaces keystore.
In a followup the keystore entry will be removed.

Bug: 170144267
Test: N/A
Change-Id: I28eafc1f4341cdd371ad78d3a7a9ba8ac128c1b1
This commit is contained in:
Janis Danisevskis 2021-03-15 09:17:58 -07:00
parent f85f3d628e
commit 028437445e
3 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
llkd/README.md
View file

@ -207,7 +207,7 @@ Comma-separated list of uid numbers or names. Default is empty or false.
The `llkd` does not monitor the specified subset of processes for live lock stack
signatures. Default is process names
`init,lmkd.llkd,llkd,keystore,ueventd,apexd,logd`. Prevents the sepolicy
`init,lmkd.llkd,llkd,keystore,keystore2,ueventd,apexd,logd`. Prevents the sepolicy
violation associated with processes that block `ptrace` (as these can't be
checked). **Active only on userdebug and eng builds**. For details on build
types, refer to [Building Android](/setup/build/building#choose-a-target).

2
llkd/include/llkd.h
View file

@ -60,7 +60,7 @@ unsigned llkCheckMilliseconds(void);
#define LLK_IGNORELIST_UID_PROPERTY "ro.llk.ignorelist.uid"
#define LLK_IGNORELIST_UID_DEFAULT ""
#define LLK_IGNORELIST_STACK_PROPERTY "ro.llk.ignorelist.process.stack"
#define LLK_IGNORELIST_STACK_DEFAULT "init,lmkd.llkd,llkd,keystore,ueventd,apexd"
#define LLK_IGNORELIST_STACK_DEFAULT "init,lmkd.llkd,llkd,keystore,keystore2,ueventd,apexd"
/* clang-format on */
__END_DECLS

4
llkd/libllkd.cpp
View file

@ -115,8 +115,8 @@ std::unordered_map<std::string, std::unordered_set<std::string>> llkIgnorelistPa
// list of uids, and uid names, to skip, default nothing
std::unordered_set<std::string> llkIgnorelistUid;
#ifdef __PTRACE_ENABLED__
// list of names to skip stack checking. "init", "lmkd", "llkd", "keystore" or
// "logd" (if not userdebug).
// list of names to skip stack checking. "init", "lmkd", "llkd", "keystore",
// "keystore2", or "logd" (if not userdebug).
std::unordered_set<std::string> llkIgnorelistStack;
#endif