Merge "Enable hidepid=2 on /proc"

am: 2d8f1d4c47 * commit '2d8f1d4c478b9d921730d3fc9b290315e2ff9f04': Enable hidepid=2 on /proc
2015-11-09 20:29:44 +00:00 · 2015-11-09 20:29:44 +00:00 · ea8452cc72
commit ea8452cc72
parent 8163cbc535 2d8f1d4c47
9 changed files with 15 additions and 5 deletions
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@ -142,9 +142,11 @@ int adbd_main(int server_port) {
    // AID_SDCARD_R to allow reading from the SD card
    // AID_SDCARD_RW to allow writing to the SD card
    // AID_NET_BW_STATS to read out qtaguid statistics
    // AID_READPROC for reading /proc entries across UID boundaries
    gid_t groups[] = {AID_ADB,      AID_LOG,       AID_INPUT,
                      AID_INET,     AID_NET_BT,    AID_NET_BT_ADMIN,
-                      AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS};
+                      AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS,
                      AID_READPROC };
    if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) {
        PLOG(FATAL) << "Could not set supplental groups";
    }
--- a/debuggerd/debuggerd.rc
+++ b/debuggerd/debuggerd.rc
@ -1,3 +1,4 @@
 service debuggerd /system/bin/debuggerd
    class main
    group root readproc
    writepid /dev/cpuset/system-background/tasks
--- a/debuggerd/debuggerd64.rc
+++ b/debuggerd/debuggerd64.rc
@ -1,3 +1,4 @@
 service debuggerd64 /system/bin/debuggerd64
    class main
    group root readproc
    writepid /dev/cpuset/system-background/tasks
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h
@ -101,6 +101,7 @@
 #define AID_NET_BW_STATS  3006  /* read bandwidth statistics */
 #define AID_NET_BW_ACCT   3007  /* change bandwidth statistics accounting */
 #define AID_NET_BT_STACK  3008  /* bluetooth: access config files */
 #define AID_READPROC      3009  /* Allow /proc read access */
 /* The range 5000-5999 is also reserved for OEM, and must never be used here. */
 #define AID_OEM_RESERVED_2_START 5000
@ -191,6 +192,7 @@ static const struct android_id_info android_ids[] = {
    { "net_bw_stats",  AID_NET_BW_STATS, },
    { "net_bw_acct",   AID_NET_BW_ACCT, },
    { "net_bt_stack",  AID_NET_BT_STACK, },
    { "readproc",      AID_READPROC, },
    { "everybody",     AID_EVERYBODY, },
    { "misc",          AID_MISC, },
--- a/init/init.cpp
+++ b/init/init.cpp
@ -546,7 +546,8 @@ int main(int argc, char** argv) {
        mkdir("/dev/pts", 0755);
        mkdir("/dev/socket", 0755);
        mount("devpts", "/dev/pts", "devpts", 0, NULL);
-        mount("proc", "/proc", "proc", 0, NULL);
+        #define MAKE_STR(x) __STRING(x)
        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
        mount("sysfs", "/sys", "sysfs", 0, NULL);
    }
--- a/lmkd/lmkd.rc
+++ b/lmkd/lmkd.rc
@ -1,5 +1,6 @@
 service lmkd /system/bin/lmkd
    class core
    group root readproc
    critical
    socket lmkd seqpacket 0660 system system
    writepid /dev/cpuset/system-background/tasks
--- a/logd/logd.rc
+++ b/logd/logd.rc
@ -3,7 +3,7 @@ service logd /system/bin/logd
    socket logd stream 0666 logd logd
    socket logdr seqpacket 0666 logd logd
    socket logdw dgram 0222 logd logd
-    group root system
+    group root system readproc
    writepid /dev/cpuset/system-background/tasks
 service logd-reinit /system/bin/logd --reinit
--- a/logd/main.cpp
+++ b/logd/main.cpp
@ -106,7 +106,9 @@ static int drop_privs() {
        return -1;
    }
-    if (setgroups(0, NULL) == -1) {
+    gid_t groups[] = { AID_READPROC };
    if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) {
        return -1;
    }
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@ -560,7 +560,7 @@ service console /system/bin/sh
    console
    disabled
    user shell
-    group shell log
+    group shell log readproc
    seclabel u:r:shell:s0
 on property:ro.debuggable=1