diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp index 8c3ca63c8..b8d758f10 100644 --- a/adb/daemon/main.cpp +++ b/adb/daemon/main.cpp @@ -142,9 +142,11 @@ int adbd_main(int server_port) { // AID_SDCARD_R to allow reading from the SD card // AID_SDCARD_RW to allow writing to the SD card // AID_NET_BW_STATS to read out qtaguid statistics + // AID_READPROC for reading /proc entries across UID boundaries gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, AID_INET, AID_NET_BT, AID_NET_BT_ADMIN, - AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS}; + AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS, + AID_READPROC }; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) { PLOG(FATAL) << "Could not set supplental groups"; } diff --git a/debuggerd/debuggerd.rc b/debuggerd/debuggerd.rc index 4be2e5d08..e43fe96cf 100644 --- a/debuggerd/debuggerd.rc +++ b/debuggerd/debuggerd.rc @@ -1,3 +1,4 @@ service debuggerd /system/bin/debuggerd class main + group root readproc writepid /dev/cpuset/system-background/tasks diff --git a/debuggerd/debuggerd64.rc b/debuggerd/debuggerd64.rc index c6e7bf2a5..35b5af35c 100644 --- a/debuggerd/debuggerd64.rc +++ b/debuggerd/debuggerd64.rc @@ -1,3 +1,4 @@ service debuggerd64 /system/bin/debuggerd64 class main + group root readproc writepid /dev/cpuset/system-background/tasks diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h index c7eb34b01..e2133e905 100644 --- a/include/private/android_filesystem_config.h +++ b/include/private/android_filesystem_config.h @@ -101,6 +101,7 @@ #define AID_NET_BW_STATS 3006 /* read bandwidth statistics */ #define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */ #define AID_NET_BT_STACK 3008 /* bluetooth: access config files */ +#define AID_READPROC 3009 /* Allow /proc read access */ /* The range 5000-5999 is also reserved for OEM, and must never be used here. */ #define AID_OEM_RESERVED_2_START 5000 @@ -191,6 +192,7 @@ static const struct android_id_info android_ids[] = { { "net_bw_stats", AID_NET_BW_STATS, }, { "net_bw_acct", AID_NET_BW_ACCT, }, { "net_bt_stack", AID_NET_BT_STACK, }, + { "readproc", AID_READPROC, }, { "everybody", AID_EVERYBODY, }, { "misc", AID_MISC, }, diff --git a/init/init.cpp b/init/init.cpp index 605674b15..86aed9ac7 100644 --- a/init/init.cpp +++ b/init/init.cpp @@ -546,7 +546,8 @@ int main(int argc, char** argv) { mkdir("/dev/pts", 0755); mkdir("/dev/socket", 0755); mount("devpts", "/dev/pts", "devpts", 0, NULL); - mount("proc", "/proc", "proc", 0, NULL); + #define MAKE_STR(x) __STRING(x) + mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC)); mount("sysfs", "/sys", "sysfs", 0, NULL); } diff --git a/lmkd/lmkd.rc b/lmkd/lmkd.rc index 7d6cb11ba..3bb84abf6 100644 --- a/lmkd/lmkd.rc +++ b/lmkd/lmkd.rc @@ -1,5 +1,6 @@ service lmkd /system/bin/lmkd class core + group root readproc critical socket lmkd seqpacket 0660 system system writepid /dev/cpuset/system-background/tasks diff --git a/logd/logd.rc b/logd/logd.rc index ecd2f0acf..10f35536f 100644 --- a/logd/logd.rc +++ b/logd/logd.rc @@ -3,7 +3,7 @@ service logd /system/bin/logd socket logd stream 0666 logd logd socket logdr seqpacket 0666 logd logd socket logdw dgram 0222 logd logd - group root system + group root system readproc writepid /dev/cpuset/system-background/tasks service logd-reinit /system/bin/logd --reinit diff --git a/logd/main.cpp b/logd/main.cpp index ad577d203..8e75b37a0 100644 --- a/logd/main.cpp +++ b/logd/main.cpp @@ -106,7 +106,9 @@ static int drop_privs() { return -1; } - if (setgroups(0, NULL) == -1) { + gid_t groups[] = { AID_READPROC }; + + if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) { return -1; } diff --git a/rootdir/init.rc b/rootdir/init.rc index d3381e693..d0ce693c5 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -560,7 +560,7 @@ service console /system/bin/sh console disabled user shell - group shell log + group shell log readproc seclabel u:r:shell:s0 on property:ro.debuggable=1