Commit Graph

334 Commits

Author SHA1 Message Date
Mark Salyzyn d7332d6d21 logd: check return values
am: 07522c6e9b

* commit '07522c6e9b8acba0f5cfb274d4514014749475e8':
  logd: check return values
2016-03-02 19:47:17 +00:00
Mark Salyzyn 13b3d68a61 logd: clarify release_Locked() for static analyzer
am: c348416198

* commit 'c3484161980cdea915c893a233f54b14a75d151f':
  logd: clarify release_Locked() for static analyzer
2016-03-02 19:46:54 +00:00
Mark Salyzyn 07522c6e9b logd: check return values
(cherry pick from commit bf7d0b8875)

The setgid() and setuid() call failure in logd.daemon thread
do not block overall functionality, so clearly tell static
analyzer and developers that we do not care to check their
return values.

SideEffects: None

Bug: 27434072
Change-Id: I6fdc87e8311ebc0173716080bbd72c86b3f00f78
2016-03-02 11:37:21 -08:00
Mark Salyzyn c348416198 logd: clarify release_Locked() for static analyzer
(cherry pick from commit 0ecdec7a09)

release_Locked() is called with a reference count and threadRunning,
the static analyzer can not tell this and estimates that a call to
delete this will occur. So let us invent a new call
release_nodelete_Locked() to ensure it is clear we will not be
arranging a delete this in the context of this code path. The
delete this will follow in the immediate codepath in this function
after threadRunning is cleared, and decRef_Locked() is called.

Change will also remove any developer FUD regarding release_Locked()
usage at this location.

SideEffects: None

Bug: 27434831
Change-Id: I91b060b2dadc72cc449fa381c934afb577bee037
2016-03-02 11:37:21 -08:00
Sami Tolvanen 2060a83775 logd: add a comment about untrusted content in the audit log
A single space character in search terms separates us from a denial of
service attack that forces the device into safe mode.  This CL adds a
comment that hopefully stops the spaces from being accidentally deleted
in future.

Change-Id: I33b2632ef4211fa1688ac9c8f0cf7d0c667766c1
2016-02-29 14:10:59 -08:00
Sami Tolvanen 89e0429ce7 logd: stop log spam when integrity enforcement is suppressed
Bug: 27389331
Change-Id: I9f3bc21eb1b85b9fda4fa0a5c5b4da94e5e7cc1c
(cherry pick from commit abda9340e6)
2016-02-29 13:18:46 -08:00
Sami Tolvanen abda9340e6 logd: stop log spam when integrity enforcement is suppressed
Bug: 27389331
Change-Id: I9f3bc21eb1b85b9fda4fa0a5c5b4da94e5e7cc1c
2016-02-29 12:08:39 -08:00
Nick Kralevich 99fb01e42a Revert "logd: Don't trigger an integrity failure on permissive SELinux denials"
external/sepolicy commit bca98efa575bedab68f2d5eaee2cd1fd1741962b
ensures that no permissive domains can be on user builds, and
external/sepolicy commit 3872ee396898fcb23bdc49c37fd02d81014aaa5f
re-enables enforcing mode on cameraserver.

The conditions which lead to the integrity failure detection
triggering can no longer occur. Revert the patch which relaxed
the detection.

This reverts commit 33ee84f871.

Bug: 27313768
Bug: 26902605
Change-Id: I8ee97d0858345695f9df8240de4e696f4a9ba008
2016-02-27 08:31:57 -08:00
Nick Kralevich 33ee84f871 logd: Don't trigger an integrity failure on permissive SELinux denials
Only trigger an integrity failure if a policy is reloaded or
SELinux is disabled. Don't trigger the integrity failure if
we see a permissive=1 denial, which could occur if an SELinux
domain is in permissive mode.

Bug: 27313768
Bug: 26902605
Change-Id: Ib85a2799eb6378ae8acdb965b1812d691183fdd3
2016-02-26 17:00:15 -08:00
Mark Salyzyn d26b2cacad logd: sock_alloc_send_pskb starves pruning
(cherry pick from commit 5c77ad55d0)

Allow socket send syscall to terminate after 32 seconds if reader
stalled because of memory pressure allocating new network buffers

Add a gTest to catch regressions, add security buffer to log_dump

Bug: 27242723
Change-Id: Idaa6699d9d284e7f5f723ae0e76b3d6aa3371489
2016-02-25 12:43:12 -08:00
Mark Salyzyn 317bfb923c logd: Allow (some) headers to be individually importable
(cherry pick from commit 2ad0bd0a9b)

LogReader.h needs to be individually importable.

Fix a few others, drop includes of local includes, let them be
included in source instead and allow headers to be included
alphabetically. Was not a complete audit since goal was to
separate LogReader.h out from the pack.

Bug: 27242723
Change-Id: Ic7759ef90995e5bd285810706af33550c73cf5b5
2016-02-25 12:42:31 -08:00
Mark Salyzyn 5c77ad55d0 logd: sock_alloc_send_pskb starves pruning
Allow socket send syscall to terminate after 32 seconds if reader
stalled because of memory pressure allocating new network buffers

Add a gTest to catch regressions, add security buffer to log_dump

Bug: 27242723
Change-Id: Idaa6699d9d284e7f5f723ae0e76b3d6aa3371489
2016-02-24 10:15:32 -08:00
Mark Salyzyn 2ad0bd0a9b logd: Allow (some) headers to be individually importable
LogReader.h needs to be individually importable.

Fix a few others, drop includes of local includes, let them be
included in source instead and allow headers to be included
alphabetically. Was not a complete audit since goal was to
separate LogReader.h out from the pack.

Bug: 27242723
Change-Id: Ic7759ef90995e5bd285810706af33550c73cf5b5
2016-02-24 10:15:22 -08:00
Sami Tolvanen 0bdad0f231 logd: enforce policy integrity
If a SELinux policy change or a switch to permissive mode is detected
on a user build, restart the device into safe mode, and keep it there
until an OTA is applied or user data is wiped.

This change deprecates the ro.logd.auditd property.

Needs matching changes from
  I781c3059ea8d4fb2f0c923e4488b1932d69678d3
  Ica825cf2af74f5624cf4091544bd24bb5482dbe7
  Id3ca7889ede30b54b7af73dd50653ca1a20d59aa

Bug: 26902605
Change-Id: Idcdc5bff133f13c1267f0ec0a75cc8cf1ddbda0d
(cherry picked from commit d122ee65b6)
2016-02-22 14:00:43 -08:00
Sami Tolvanen d122ee65b6 logd: enforce policy integrity
If a SELinux policy change or a switch to permissive mode is detected
on a user build, restart the device into safe mode, and keep it there
until an OTA is applied or user data is wiped.

This change deprecates the ro.logd.auditd property.

Needs matching changes from
  I781c3059ea8d4fb2f0c923e4488b1932d69678d3
  Ica825cf2af74f5624cf4091544bd24bb5482dbe7
  Id3ca7889ede30b54b7af73dd50653ca1a20d59aa

Bug: 26902605
Change-Id: Idcdc5bff133f13c1267f0ec0a75cc8cf1ddbda0d
2016-02-16 12:54:54 -08:00
Mark Salyzyn d1f41d606b logd: use ro.debuggable instead of ro.build.type
Change-Id: Ic644f1f78e68094f700834675f4acc63386a6b92
2016-02-10 10:23:03 -08:00
Mark Salyzyn d048f113a3 logd: add internal prdebug function
Usage: android::prdebug(const char *fmt, ...) __printflike(1, 2);

Will add logd prefix tag, log as debug priority in kernel logs,
and will suffix a newline if one is not supplied. To be used to
aid debugging of the logger only.

Change-Id: I217326ef34dc4eb0ea076bacb7a7a8b564c931c3
2016-02-09 07:46:39 -08:00
Mark Salyzyn 0604f6fbae init.rc: too many start logd
Bug: 26934873
Change-Id: Ia00da6253a50bedc8ba825df1cf641b86cdebeed
2016-02-02 16:01:17 -08:00
Mark Salyzyn 8fa8896d2e logd: security buffer only AID_SYSTEM reader
- limit AID_SYSTEM uid or gid to read security buffer messages
- adjust liblog tests to reflect the reality of this adjustment

To fully test all security buffer paths and modes

$ su 0,0,0 /data/nativetest/liblog-unit-tests/liblog-unit-tests --gtest_filter=liblog.__security*
$ su 1000,1000,1000 /data/nativetest/liblog-unit-tests/liblog-unit-tests --gtest_filter=liblog.__security*
$ su 2000,2000,2000 /data/nativetest/liblog-unit-tests/liblog-unit-tests --gtest_filter=liblog.__security*

ToDo: Integrate the above individually into the gTest Q/A testing

Bug: 26029733
Change-Id: Idcf5492db78fa6934ef6fb43f3ef861052675651
2016-02-01 13:29:06 -08:00
Mark Salyzyn c85ce9ba8e Merge "Revert "logd: security buffer only AID_SYSTEM reader"" 2016-01-26 22:38:58 +00:00
Mark Salyzyn 674ce6ef58 Revert "logd: security buffer only AID_SYSTEM reader"
This reverts commit 756332e88b.

Change-Id: Ib8607ac758b7e88a9db716ec4274ec0e4e3dc596
2016-01-26 21:47:35 +00:00
Mark Salyzyn 69ce7c5483 Merge "logd: security buffer only AID_SYSTEM reader" 2016-01-26 20:41:51 +00:00
Mark Salyzyn 756332e88b logd: security buffer only AID_SYSTEM reader
Bug: 26029733
Change-Id: I140e5eb8bb39271fa674744651127e3fc545cbe8
2016-01-26 07:20:29 -08:00
Mark Salyzyn ef4e4f3f07 logd: test wrap functionality
Behavior is modified now, so react by fortifying the tests

Bug: 26447386
Change-Id: I6295783a0bc75282499aeba503a86bdb846908b5
2016-01-21 11:56:23 -08:00
Mark Salyzyn 7fd6c5c6f5 logd: prune maintain per-id watermark (part deux)
iterator corruption as we allow mLast to slip through the FIFO

Bug: 23685592
Bug: 26646087
Change-Id: Ifcbaecf390ee47b195c3d823d080c66c15db4530
2016-01-19 16:14:39 -08:00
Mark Salyzyn 7b7b2da6b8 Merge "logd: prune maintain per-id watermark" 2016-01-13 20:23:28 +00:00
Mark Salyzyn ae6aa1f1ed Merge "logd: wrap timed entry too early, timeout immediately" 2016-01-12 21:57:50 +00:00
Mark Salyzyn 4690640760 logd: unaligned access on security buffer
Bug: 26485626
Change-Id: I990447ca59982bb2de15decda575fd0e2838b5ed
2016-01-12 10:09:31 -08:00
Mark Salyzyn 507eb9fec2 logd: prune maintain per-id watermark
Without this change LogBuffer::prune and LogBuffer::erase
contributes 16.7% and 1.79% respectively. With this change,
they contributes 3.06 and 2.33% respectively. Pruning is
performed roughly 1 in every 255 log entries, a periodic
tamer latency spike.

Bug: 23685592
Change-Id: I6ae1cf9f3559bca4cf448efe8bcb2b96a1914c54
2016-01-11 14:46:51 -08:00
Mark Salyzyn 0157097845 logd: wrap timed entry too early, timeout immediately
Bug: 26447386
Change-Id: I8d5588831f558061ef21b2a5aeedc865e9ae4cc7
2016-01-07 15:13:14 -08:00
Mark Salyzyn 1a5bac2069 Merge "Revert "logd: liblog: whitelist "snet_event_log""" 2016-01-06 21:22:04 +00:00
Mark Salyzyn 0ee8de3c2d Revert "logd: liblog: whitelist "snet_event_log""
Callers will not guarantee that they can or will ratelimit, we need to
retain the ability to blacklist snet_event_log as a result.

This reverts commit 6aa21b225d.

Bug: 26178938
Change-Id: Ibf47d2e23a84c56f5f72d02312c698df7ff2b601
2016-01-06 21:19:23 +00:00
Mark Salyzyn 66607ebc0e logd: document ro.logd.size
Bad comment advise in LogBuffer.cpp results in partners failing to
considering using ro.logd.size to set the platform buffer size
default.

NB: It is not good practice to increase the log buffer size to deal
with logspam, as increases will result in logd scale issues getting
closer to hitting the background cgroup cpu cap. Once we hit that
cap, logd spirals, pruning old entries slower than the incoming log
entries. logd.writer will take 100% cpu.

Change-Id: If4a7a74f300d078eeaed0ffd3eb3fd77d1f9fe90
2016-01-05 09:09:18 -08:00
Mark Salyzyn ff8b8e838b logd: build breakage aosp-brillo-master @ 2508494
Change-Id: I38e506bc997c6e9759a064b517f9372a27d0e510
2015-12-30 13:46:07 -08:00
Mark Salyzyn 554630f94e Merge "logd: isMonotonic improvements" 2015-12-30 21:31:58 +00:00
Mark Salyzyn 6aa21b225d logd: liblog: whitelist "snet_event_log"
Dangerous bridge to cross to whitelist, who is special, who is not?
Rationalized as these events are used to catch exploits on platform.
As it stands no one should be allowed to block any messages in the
security context, not even for development purposes.

Bug: 26178938
Change-Id: Ibdc76bc0fe29ba05be168b623af1c9f41d7edbd2
2015-12-30 10:07:19 -08:00
Mark Salyzyn 10b82b6834 logd: isMonotonic improvements
Use 1972 as a right delineation. Otherwise use half way point
between the monotonic and realtime. Treat correction factor as
unsigned, ensure that any wrapping to a negative value is
dropped or set to EPOCH. Acknowledge that we can get a more
accurate time track by acquiring the time rather than relying on
healthd timestamp.

Bug: 26331432
Change-Id: I09075fca58676a30cf7d87baf2d4b0f53795abaa
2015-12-29 11:34:29 -08:00
Mark Salyzyn bec3c3def9 logd: Add worst pid of system filter
- Add a new statistic that reports per pid and log_id for AID_SYSTEM
- Add a new pruning filter ~1000/! boolean
- Use this new statistic to prune on worst pid within AID_SYSTEM

Bug: 26029733
Bug: 21615139
Bug: 22855208
Change-Id: Iab5dd28f807dcf03d276372853883f3b6afa8294
2015-12-29 09:32:35 -08:00
Mark Salyzyn 9c66a58f21 logd: Allow flags "eng" and "svelte" in boolean
- enhance property_get_bool, drop property_get_bool_svelte
- enhance base properties with ro and persist variants
- update and fortify README.property
- primarily move auditd and kernel logger into a realm where
  they can be controlled by build properties.
- Move logd.klogd to logd.kernel, and add ro.logd.kernel
  and persist.logd.kernel.
- Add ro.logd.auditd and persist.logd.auditd.
- Document persist.logd.security
- Document log.tag and persist.logd.tag properties.
- Document ro.logd.size, persist.logd.size and logd.size
  properties.

Bug: 26178938
Bug: 26029733
Bug: 17760225
Change-Id: Ibc1a497e45d69db5cf52133937f7ba6fb1d6cd21
2015-12-22 07:44:31 -08:00
Mark Salyzyn ee3b838e13 logd: statistics per-pid filter
Primarily gives access to the Chattiest TIDs and TAGs
associated with a pid.

Has a secondary effect of allowing us to pull out the
command line, comm and in some cases the associated
PACKAGE for a specific pid while the logs are still
present even if the executable is gone.

Bug: 26029733
Bug: 21615139
Change-Id: I1ea63165a680a9318360579b70b1512078ed5682
2015-12-18 13:17:37 -08:00
Mark Salyzyn 7b4a2049b0 logd: test drop __unused
Change-Id: I1ccf49809b8a0a125601bdb52834c463e2d94165
2015-12-18 10:35:00 -08:00
Mark Salyzyn 236fecd923 Merge "logd: ro.config.low_ram set buffer size to 64K" 2015-12-17 23:47:14 +00:00
Mark Salyzyn 1d9c7e728f logd: simpleperf inspired optimizations
memset is hot on log writes with too much overhead, not required.

Bug: 24444530
Bug: 23685592
Change-Id: Ibe3c83abca6774fc79a3be461f2f1585f4a9b1ff
2015-12-15 14:24:04 -08:00
Mark Salyzyn cdda62b2c1 logd: ro.config.low_ram set buffer size to 64K
Bug: 25792367
Change-Id: Icae85a7de70b3a71f89b2bf8c80866649f727177
2015-12-14 14:37:07 -08:00
Mark Salyzyn 86052a5d4f Merge "logd: liblog: logcat: Add LOG_ID_SECURITY" 2015-12-11 17:33:33 +00:00
Mark Salyzyn 30edbdce9b Merge changes I598c8c5c,I672b0f4d,Id882978b,Idff5e080,Ib124eca1, ...
* changes:
  logger.h: reduce maximum payload so sum is page size
  liblog: test for maximum payload can not survive change
  liblog: logprint use uid name if length less then 5
  liblog: logprint add uid format modifier
  liblog: readlog apps get logger_entry_v4 for pstore
  logd: readlog apps get logger_entry_v4
  logger.h: Add definition for logger_entry_v4
2015-12-11 16:42:28 +00:00
Mark Salyzyn ad9dac1c27 Merge "logd: best 2/3 filter for timezone glitches" 2015-12-10 23:38:03 +00:00
Mark Salyzyn b06247d9a0 logd: best 2/3 filter for timezone glitches
klogd is sensitive to changes in timezone resulting in glitches
surrounding conversion to local realtime logging. logger manages
a map from monotonic to realtime, but the process is racey since
the system can change the timezone at any time, this catches those
cases where it glitches.

Bug: 21868540
Change-Id: I03de6675fcd04f18ba7306a24dc3d9e750d86976
2015-12-10 13:20:48 -08:00
Mark Salyzyn f011a335f2 logd: logd-reinit exits with 194
Bug: 26115803
Change-Id: I6e8843ce9766756a40e6d176e0a822f62045c2af
2015-12-10 12:26:08 -08:00
Mark Salyzyn 7b87365ecf logd: readlog apps get logger_entry_v4
Adds the uid field to outgoing content for readlog applications.
AID_LOG, AID_ROOT and AID_SYSTEM gain access to the information.

Bug: 25996918
Change-Id: I0254303c19d174cbf5e722c38844be5c54410c85
2015-12-09 08:12:07 -08:00