NB: bionic stdio is broken when providing appropriate errno value(s)
on failure so libc.__pstore_append will not report pmsg
misconfigured correctly on android for now.
Test: misconfigured kernel, watch for this message in liblog-unit-tests
Change-Id: Ifb1b550c7d3a3888000459c2f68c392cc23c379f
Do not allow anyone to see logd memory.
Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 32450474
Change-Id: Ic7377efcb7e1d3cd91b50741061037a0fb589045
In zygote wrapping mode, ZygoteConnection does a check to see if the pid
reported by the wrapped process is either child process that was
forked, or a decendent of it. This requires read access to other
processes /proc files. Grant zygote AID_READPROC to allow this access.
Bug: 32610632
Test: manual inspection of /proc files to verify group.
Test: manual inspection of zygote's children to make sure they do not
inherit AID_READPROC
Change-Id: I3619a9ae33c8077e068e8024f7c7d44cfca6fb76
Ambient capabilities are inherited in a straightforward way across
execve(2):
"
If you are nonroot but you have a capability, you can add it to pA.
If you do so, your children get that capability in pA, pP, and pE.
For example, you can set pA = CAP_NET_BIND_SERVICE, and your
children can automatically bind low-numbered ports.
"
This will allow us to get rid of the special meaning for AID_NET_ADMIN
and AID_NET_RAW, and if desired, to reduce the use of file capabilities
(which grant capabilities to any process that can execute the file). An
additional benefit of the latter is that a single .rc file can specify
all properties for a service, without having to rely on a separate file
for file capabilities.
Ambient capabilities are supported starting with kernel 4.3 and have
been backported to all Android common kernels back to 3.10.
I chose to not use Minijail here (though I'm still using libcap) for
two reasons:
1-The Minijail code is designed to work in situations where the process
is holding any set of capabilities, so it's more complex. The situation
when forking from init allows for simpler code.
2-The way Minijail is structured right now, we would not be able to
make the required SELinux calls between UID/GID dropping and other priv
dropping code. In the future, it will make sense to add some sort of
"hook" to Minijail so that it can be used in situations where we want
to do other operations between some of the privilege-dropping
operations carried out by Minijail.
Bug: 32438163
Test: Use sample service.
Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb
This function is always called by the frameworks in order to
initialize vulkan layer path. For NB apps returning nullptr
disables vulkan layer library lookup as expected.
Bug: http://b/32542970
Test: mm
Change-Id: I426b2b9f5ea7227b00f063ed6040f37bb2b4f21f
The webview_zygote is a non-root zygote process that creates isolated_app
children for rendering web content. It needs:
- CAP_SETUID and CAP_SETGID to change the UID of the new child process.
- CAP_SETPCAP to clear the capability bounding set after forking.
Test: m
Test: angler boots
Bug: 21643067
Change-Id: I986fa04be54e812f5dd2afa14e5d2d3e474e2b10
bootcharts currently only show root's processes, which isn't very
useful. To investigate and track boot duration issues, we need a way for
init to see all the pids. Add init to GID 3009 (aka AID_READPROC)
Ensure that init's children don't inherit this GID by always clearing
supplementary group IDs on fork.
Bug: 32506197
Test: Device boots and /proc/1/status says init is in gid 3009
Test: zygote starts and the Group: line in /proc/ZYGOTEPID/status is empty
Change-Id: Iba90717aaa591f1d6030a379a272aee003600c0a
Not-Tested: bootchart actually works. Speculative fix.
