Merge "logd: security buffer only AID_SYSTEM reader"
am: ef68c867ac
* commit 'ef68c867ac220f21e86a44fda9f501359425cae5':
logd: security buffer only AID_SYSTEM reader
This commit is contained in:
commit
1f26d0b73e
|
@ -18,6 +18,8 @@
|
|||
#include <inttypes.h>
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <cutils/properties.h>
|
||||
#include <gtest/gtest.h>
|
||||
|
@ -25,6 +27,7 @@
|
|||
#include <log/logger.h>
|
||||
#include <log/log_read.h>
|
||||
#include <log/logprint.h>
|
||||
#include <private/android_filesystem_config.h>
|
||||
#include <private/android_logger.h>
|
||||
|
||||
// enhanced version of LOG_FAILURE_RETRY to add support for EAGAIN and
|
||||
|
@ -368,6 +371,48 @@ TEST(liblog, __security_buffer) {
|
|||
return;
|
||||
}
|
||||
|
||||
/* Matches clientHasLogCredentials() in logd */
|
||||
uid_t uid = getuid();
|
||||
gid_t gid = getgid();
|
||||
bool clientHasLogCredentials = true;
|
||||
if ((uid != AID_SYSTEM) && (uid != AID_ROOT) && (uid != AID_LOG)
|
||||
&& (gid != AID_SYSTEM) && (gid != AID_ROOT) && (gid != AID_LOG)) {
|
||||
uid_t euid = geteuid();
|
||||
if ((euid != AID_SYSTEM) && (euid != AID_ROOT) && (euid != AID_LOG)) {
|
||||
gid_t egid = getegid();
|
||||
if ((egid != AID_SYSTEM) && (egid != AID_ROOT) && (egid != AID_LOG)) {
|
||||
int num_groups = getgroups(0, NULL);
|
||||
if (num_groups > 0) {
|
||||
gid_t groups[num_groups];
|
||||
num_groups = getgroups(num_groups, groups);
|
||||
while (num_groups > 0) {
|
||||
if (groups[num_groups - 1] == AID_LOG) {
|
||||
break;
|
||||
}
|
||||
--num_groups;
|
||||
}
|
||||
}
|
||||
if (num_groups <= 0) {
|
||||
clientHasLogCredentials = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!clientHasLogCredentials) {
|
||||
fprintf(stderr, "WARNING: "
|
||||
"not in system context, bypassing end-to-end test\n");
|
||||
|
||||
log_time ts(CLOCK_MONOTONIC);
|
||||
|
||||
buffer.type = EVENT_TYPE_LONG;
|
||||
buffer.data = *(static_cast<uint64_t *>((void *)&ts));
|
||||
|
||||
// expect failure!
|
||||
ASSERT_GE(0, __android_log_security_bwrite(0, &buffer, sizeof(buffer)));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
pid_t pid = getpid();
|
||||
|
||||
ASSERT_TRUE(NULL != (logger_list = android_logger_list_open(
|
||||
|
@ -415,7 +460,12 @@ TEST(liblog, __security_buffer) {
|
|||
|
||||
android_logger_list_close(logger_list);
|
||||
|
||||
EXPECT_EQ(1, count);
|
||||
bool clientHasSecurityCredentials = (uid == AID_SYSTEM) || (gid == AID_SYSTEM);
|
||||
if (!clientHasSecurityCredentials) {
|
||||
fprintf(stderr, "WARNING: "
|
||||
"not system, content submitted but can not check end-to-end\n");
|
||||
}
|
||||
EXPECT_EQ(clientHasSecurityCredentials ? 1 : 0, count);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -93,3 +93,11 @@ void FlushCommand::runSocketCommand(SocketClient *client) {
|
|||
bool FlushCommand::hasReadLogs(SocketClient *client) {
|
||||
return clientHasLogCredentials(client);
|
||||
}
|
||||
|
||||
static bool clientHasSecurityCredentials(SocketClient *client) {
|
||||
return (client->getUid() == AID_SYSTEM) || (client->getGid() == AID_SYSTEM);
|
||||
}
|
||||
|
||||
bool FlushCommand::hasSecurityLogs(SocketClient *client) {
|
||||
return clientHasSecurityCredentials(client);
|
||||
}
|
||||
|
|
|
@ -45,6 +45,7 @@ public:
|
|||
virtual void runSocketCommand(SocketClient *client);
|
||||
|
||||
static bool hasReadLogs(SocketClient *client);
|
||||
static bool hasSecurityLogs(SocketClient *client);
|
||||
};
|
||||
|
||||
#endif
|
||||
|
|
|
@ -907,7 +907,8 @@ unsigned long LogBuffer::getSize(log_id_t id) {
|
|||
}
|
||||
|
||||
uint64_t LogBuffer::flushTo(
|
||||
SocketClient *reader, const uint64_t start, bool privileged,
|
||||
SocketClient *reader, const uint64_t start,
|
||||
bool privileged, bool security,
|
||||
int (*filter)(const LogBufferElement *element, void *arg), void *arg) {
|
||||
LogBufferElementCollection::iterator it;
|
||||
uint64_t max = start;
|
||||
|
@ -938,6 +939,10 @@ uint64_t LogBuffer::flushTo(
|
|||
continue;
|
||||
}
|
||||
|
||||
if (!security && (element->getLogId() == LOG_ID_SECURITY)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (element->getSequence() <= start) {
|
||||
continue;
|
||||
}
|
||||
|
|
|
@ -111,7 +111,7 @@ public:
|
|||
uid_t uid, pid_t pid, pid_t tid,
|
||||
const char *msg, unsigned short len);
|
||||
uint64_t flushTo(SocketClient *writer, const uint64_t start,
|
||||
bool privileged,
|
||||
bool privileged, bool security,
|
||||
int (*filter)(const LogBufferElement *element, void *arg) = NULL,
|
||||
void *arg = NULL);
|
||||
|
||||
|
|
|
@ -163,6 +163,7 @@ bool LogReader::onDataAvailable(SocketClient *cli) {
|
|||
logbuf().isMonotonic() && android::isMonotonic(start));
|
||||
|
||||
logbuf().flushTo(cli, sequence, FlushCommand::hasReadLogs(cli),
|
||||
FlushCommand::hasSecurityLogs(cli),
|
||||
logFindStart.callback, &logFindStart);
|
||||
|
||||
if (!logFindStart.found()) {
|
||||
|
|
|
@ -126,6 +126,7 @@ void *LogTimeEntry::threadStart(void *obj) {
|
|||
LogBuffer &logbuf = me->mReader.logbuf();
|
||||
|
||||
bool privileged = FlushCommand::hasReadLogs(client);
|
||||
bool security = FlushCommand::hasSecurityLogs(client);
|
||||
|
||||
me->leadingDropped = true;
|
||||
|
||||
|
@ -150,10 +151,10 @@ void *LogTimeEntry::threadStart(void *obj) {
|
|||
unlock();
|
||||
|
||||
if (me->mTail) {
|
||||
logbuf.flushTo(client, start, privileged, FilterFirstPass, me);
|
||||
logbuf.flushTo(client, start, privileged, security, FilterFirstPass, me);
|
||||
me->leadingDropped = true;
|
||||
}
|
||||
start = logbuf.flushTo(client, start, privileged, FilterSecondPass, me);
|
||||
start = logbuf.flushTo(client, start, privileged, security, FilterSecondPass, me);
|
||||
|
||||
lock();
|
||||
|
||||
|
|
Loading…
Reference in New Issue