The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.
Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.
After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:
type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service'
Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
toybox has a #define noreturn that trips over this.
Also move `format` out of the way, just in case.
Bug: https://github.com/android-ndk/ndk/issues/271
Test: builds
Change-Id: Ib8811136b4b422ff74625509539a5464a3c9af18
Commit 9596d2b95d changes how
availability of console is checked by only checking access bits for
the console device. However, in cases where there is no console it
defaults to /dev/console. This device is always enumerated by tty
driver (i.e. file and access bits may be correct), but it doesn't
always map to an underlying console driver. Because the lookup for the
underlying console driver happens during the open system call, checking
only the access bits is not sufficient and need to make sure open
system call is successful, we can safely close the FD afterwards to
avoid FD leaks.
Test: boot device and check console svc doesn't continuously restart
Bug: 33691649
Change-Id: Ia51a8a2f56c345b70db55e95f61a057a98b52895
Some kernels have a bug which causes a newline to show up in audit
messages. The embedded newlines cause one message to look like two due
to prefix controls.
Replace any newlines with spaces. Duplicate spaces are further
consolidated in code immediately after this newly added code.
Test: create an audit message with a newline, and watch it be cleaned up.
Bug: 27878170
Change-Id: Id90c29ab9e10d3be96f51403b0293622d782422a
log selinux audit messages boolean (true or false, default true)
selection for logging destinations:
ro.logd.auditd - turn on logd.auditd to pick up violations.
ro.logd.auditd.dmesg - to the kernel log.
ro.logd.auditd.main - to the "main" log buffer.
ro.logd.auditd.events - to the "events" log buffer.
We used to also read logd.auditd.dmesg and persist.logd.auditd.dmesg
which do not get refreshed when /data mounts internally. This is a
confusing state as these properties will be read after a logd crash
and restart, adjusting the behavior of the logger. Same can be said
for logd.auditd as well. Drop reading these other parameters.
Test: manual set r/o parameters, stop/start logd to confirm behavior
Bug: 33969000
Bug: 27878170
Change-Id: I1a6bb4a903074c9aa7b227cf583a0094d49cbefd
Until the socket ages out, it sticks around and gets reused in
subsequent tests affecting the outcome of those tests. We opt
to run logd.timeout in a forked and isolated process to keep
these conditions from interfering.
Adjusted benchmark execute to only run the tests we are
interested in to improve the time it takes to run.
Commented some areas of code to make them easier to maintain.
Test: gTest logd-unit-tests success
Bug: 33962045
Change-Id: Ic1b98bc4a2d7e8927f1a87628e3bcc368c9cf8ce
If we're going to build libziparchive with _FILE_OFFSET_BITS=64, which
seems like a reasonable idea, we don't want off_t/off64_t mixups in the
ABI, and C++ name mangling helps protect against that where C wouldn't.
Bug: N/A
Test: builds
Change-Id: I5f068b41fb4cd9e1e055e5250054318b35bcbc08
The mismatch of return values makes reasoning about the correctness of
CLs like https://android-review.googlesource.com/317923 quite hard.
Bug: 33941660
Test: Init builds, HiKey boots.
Change-Id: Ia4b8a9af420682997b154a594892740181980921
logd now counts multiple identical messages, causing messages to be
held back. Stop doing that in the tests. When that filter appeared,
the logcat-unit-tests went from 23 seconds to a couple of minutes of
runtime breakign the automated testing.
Test: gTest logcat-unit-tests total time less than 1 minute.
Bug: 33845198
Bug: 33535908
Change-Id: I6145bae89b6d5e5024ef4f8fe66440c9ae53f7c6
The protocol doc states that calling `fastboot getvar` for an unknown
variable should return an empty OKAY message, but in reality modern
devices return a FAIL response in this case (tested with marlin and
shamu).
Additionally, some A/B logic in fastboot expects a FAIL response for
unknown variables in order to function properly.
This CL changes the documentation to match reality.
Bug: http://b/33756193
Test: none
Change-Id: I41f7c80585be73e60ca0ac216787596c4d60a1d5
