Merge "Enable hidepid=2 on /proc"

am: 2d8f1d4c47

* commit '2d8f1d4c478b9d921730d3fc9b290315e2ff9f04':
  Enable hidepid=2 on /proc

adb/daemon/main.cpp

@@ -142,9 +142,11 @@ int adbd_main(int server_port) {
     // AID_SDCARD_R to allow reading from the SD card
     // AID_SDCARD_RW to allow writing to the SD card
     // AID_NET_BW_STATS to read out qtaguid statistics
+    // AID_READPROC for reading /proc entries across UID boundaries
     gid_t groups[] = {AID_ADB,      AID_LOG,       AID_INPUT,
                       AID_INET,     AID_NET_BT,    AID_NET_BT_ADMIN,
-                      AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS};
+                      AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS,
+                      AID_READPROC };
     if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) {
         PLOG(FATAL) << "Could not set supplental groups";
     }

debuggerd/debuggerd.rc

@@ -1,3 +1,4 @@
 service debuggerd /system/bin/debuggerd
     class main
+    group root readproc
     writepid /dev/cpuset/system-background/tasks

debuggerd/debuggerd64.rc

@@ -1,3 +1,4 @@
 service debuggerd64 /system/bin/debuggerd64
     class main
+    group root readproc
     writepid /dev/cpuset/system-background/tasks

include/private/android_filesystem_config.h

@@ -101,6 +101,7 @@
 #define AID_NET_BW_STATS  3006  /* read bandwidth statistics */
 #define AID_NET_BW_ACCT   3007  /* change bandwidth statistics accounting */
 #define AID_NET_BT_STACK  3008  /* bluetooth: access config files */
+#define AID_READPROC      3009  /* Allow /proc read access */
 
 /* The range 5000-5999 is also reserved for OEM, and must never be used here. */
 #define AID_OEM_RESERVED_2_START 5000
@@ -191,6 +192,7 @@ static const struct android_id_info android_ids[] = {
     { "net_bw_stats",  AID_NET_BW_STATS, },
     { "net_bw_acct",   AID_NET_BW_ACCT, },
     { "net_bt_stack",  AID_NET_BT_STACK, },
+    { "readproc",      AID_READPROC, },
 
     { "everybody",     AID_EVERYBODY, },
     { "misc",          AID_MISC, },

init/init.cpp

@@ -546,7 +546,8 @@ int main(int argc, char** argv) {
         mkdir("/dev/pts", 0755);
         mkdir("/dev/socket", 0755);
         mount("devpts", "/dev/pts", "devpts", 0, NULL);
-        mount("proc", "/proc", "proc", 0, NULL);
+        #define MAKE_STR(x) __STRING(x)
+        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
         mount("sysfs", "/sys", "sysfs", 0, NULL);
     }
 

lmkd/lmkd.rc

@@ -1,5 +1,6 @@
 service lmkd /system/bin/lmkd
     class core
+    group root readproc
     critical
     socket lmkd seqpacket 0660 system system
     writepid /dev/cpuset/system-background/tasks

logd/logd.rc

@@ -3,7 +3,7 @@ service logd /system/bin/logd
     socket logd stream 0666 logd logd
     socket logdr seqpacket 0666 logd logd
     socket logdw dgram 0222 logd logd
-    group root system
+    group root system readproc
     writepid /dev/cpuset/system-background/tasks
 
 service logd-reinit /system/bin/logd --reinit

logd/main.cpp

@@ -106,7 +106,9 @@ static int drop_privs() {
         return -1;
     }
 
-    if (setgroups(0, NULL) == -1) {
+    gid_t groups[] = { AID_READPROC };
+
+    if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) {
         return -1;
     }
 

rootdir/init.rc

@@ -560,7 +560,7 @@ service console /system/bin/sh
     console
     disabled
     user shell
-    group shell log
+    group shell log readproc
     seclabel u:r:shell:s0
 
 on property:ro.debuggable=1