platform_system_core/logd
Mark Salyzyn 8fa8896d2e logd: security buffer only AID_SYSTEM reader
- limit AID_SYSTEM uid or gid to read security buffer messages
- adjust liblog tests to reflect the reality of this adjustment

To fully test all security buffer paths and modes

$ su 0,0,0 /data/nativetest/liblog-unit-tests/liblog-unit-tests --gtest_filter=liblog.__security*
$ su 1000,1000,1000 /data/nativetest/liblog-unit-tests/liblog-unit-tests --gtest_filter=liblog.__security*
$ su 2000,2000,2000 /data/nativetest/liblog-unit-tests/liblog-unit-tests --gtest_filter=liblog.__security*

ToDo: Integrate the above individually into the gTest Q/A testing

Bug: 26029733
Change-Id: Idcf5492db78fa6934ef6fb43f3ef861052675651
2016-02-01 13:29:06 -08:00
..
tests logd: test wrap functionality 2016-01-21 11:56:23 -08:00
Android.mk Revert "logd: liblog: whitelist "snet_event_log"" 2016-01-06 21:19:23 +00:00
CommandListener.cpp logd: statistics per-pid filter 2015-12-18 13:17:37 -08:00
CommandListener.h Logd: Handle unused variable and fields 2015-07-27 14:17:33 -07:00
FlushCommand.cpp logd: security buffer only AID_SYSTEM reader 2016-02-01 13:29:06 -08:00
FlushCommand.h logd: security buffer only AID_SYSTEM reader 2016-02-01 13:29:06 -08:00
LogAudit.cpp liblog: logd: support logd.timestamp = monotonic 2015-11-03 15:15:51 -08:00
LogAudit.h liblog: logd: support logd.timestamp = monotonic 2015-11-03 15:15:51 -08:00
LogBuffer.cpp logd: security buffer only AID_SYSTEM reader 2016-02-01 13:29:06 -08:00
LogBuffer.h logd: security buffer only AID_SYSTEM reader 2016-02-01 13:29:06 -08:00
LogBufferElement.cpp Merge "logd: liblog: logcat: Add LOG_ID_SECURITY" 2015-12-11 17:33:33 +00:00
LogBufferElement.h logd: readlog apps get logger_entry_v4 2015-12-09 08:12:07 -08:00
LogCommand.cpp logd: liblog: logcat: Add LOG_ID_SECURITY 2015-12-08 16:46:29 -08:00
LogCommand.h logd: liblog: logcat: Add LOG_ID_SECURITY 2015-12-08 16:46:29 -08:00
LogKlog.cpp logd: build breakage aosp-brillo-master @ 2508494 2015-12-30 13:46:07 -08:00
LogKlog.h liblog: logd: support logd.timestamp = monotonic 2015-11-03 15:15:51 -08:00
LogListener.cpp Revert "logd: security buffer only AID_SYSTEM reader" 2016-01-26 21:47:35 +00:00
LogListener.h logd: initial checkin. 2014-02-26 09:52:35 -08:00
LogReader.cpp logd: security buffer only AID_SYSTEM reader 2016-02-01 13:29:06 -08:00
LogReader.h logd: libsysutils: logd startup outside init environment 2014-04-17 16:14:24 +00:00
LogStatistics.cpp logd: Add worst pid of system filter 2015-12-29 09:32:35 -08:00
LogStatistics.h logd: Add worst pid of system filter 2015-12-29 09:32:35 -08:00
LogTimes.cpp logd: security buffer only AID_SYSTEM reader 2016-02-01 13:29:06 -08:00
LogTimes.h logd: wakeup on wrap or timeout 2015-12-07 14:24:02 -08:00
LogUtils.h logd: Allow flags "eng" and "svelte" in boolean 2015-12-22 07:44:31 -08:00
LogWhiteBlackList.cpp logd: Add worst pid of system filter 2015-12-29 09:32:35 -08:00
LogWhiteBlackList.h logd: Add worst pid of system filter 2015-12-29 09:32:35 -08:00
README.auditd logd: selinux auditd initial commit 2014-04-07 10:51:00 -07:00
README.property logd: document ro.logd.size 2016-01-05 09:09:18 -08:00
event.logtags logd: annotate worst-UID pruned entries 2015-04-10 15:45:08 -07:00
libaudit.c Revert "libaudit: limit to 5 selinux denials per sec" 2015-05-11 15:43:25 -07:00
libaudit.h logd: throttle SELinux denials to 20/sec 2014-11-19 13:35:36 -08:00
logd.rc Enable hidepid=2 on /proc 2015-11-09 09:08:46 -08:00
main.cpp logd: Allow flags "eng" and "svelte" in boolean 2015-12-22 07:44:31 -08:00

README.property

The properties that logd responds to are:

name                       type default  description
ro.logd.auditd             bool   true   Enable selinux audit daemon
ro.logd.auditd.dmesg       bool   true   selinux audit messages duplicated and
                                         sent on to dmesg log
persist.logd.security      bool   false  Enable security buffer.
ro.device_owner            bool   false  Override persist.logd.security to false
ro.logd.kernel             bool+ svelte+ Enable klogd daemon
ro.logd.statistics         bool+ svelte+ Enable logcat -S statistics.
ro.build.type              string        if user, logd.statistics &
                                         ro.logd.kernel default false.
persist.logd.logpersistd   string        Enable logpersist daemon, "logcatd"
                                         turns on logcat -f in logd context
persist.logd.size          number  ro    Global default size of the buffer for
                                         all log ids at initial startup, at
                                         runtime use: logcat -b all -G <value>
ro.logd.size               number svelte default for persist.logd.size. Larger
                                         platform default sizes than 256KB are
                                         known to not scale well under log spam
                                         pressure. Address the spam first,
                                         resist increasing the log buffer.
persist.logd.size.<buffer> number  ro    Size of the buffer for <buffer> log
ro.logd.size.<buffer>      number svelte default for persist.logd.size.<buffer>
ro.config.low_ram          bool   false  if true, logd.statistics, logd.kernel
                                         default false, logd.size 64K instead
                                         of 256K.
persist.logd.filter        string        Pruning filter to optimize content.
                                         At runtime use: logcat -P "<string>"
ro.logd.filter       string "~! ~1000/!" default for persist.logd.filter.
                                         This default means to prune the
                                         oldest entries of chattiest UID, and
                                         the chattiest PID of system
                                         (1000, or AID_SYSTEM).
persist.logd.timestamp     string  ro    The recording timestamp source.
                                         "m[onotonic]" is the only supported
                                         key character, otherwise realtime.
ro.logd.timestamp        string realtime default for persist.logd.timestamp
log.tag                   string persist The global logging level, VERBOSE,
                                         DEBUG, INFO, WARN, ERROR, ASSERT or
                                         SILENT. Only the first character is
                                         the key character.
persist.log.tag            string build  default for log.tag
log.tag.<tag>             string persist The <tag> specific logging level.
persist.log.tag.<tag>      string build  default for log.tag.<tag>

NB:
- bool+ - "true", "false" and comma separated list of "eng" (forced false if
  ro.build.type is "user") or "svelte" (forced false if ro.config.low_ram is
  true).
- svelte - see ro.config.low_ram for details.
- svelte+ - see ro.config.low_ram and ro.build.type for details.
- ro - <base property> temporary override, ro.<base property> platform default.
- persist - <base property> override, persist.<base property> platform default.
- build - VERBOSE for native, DEBUG for jvm isLoggable, or developer option.
- number - support multipliers (K or M) for convenience. Range is limited
  to between 64K and 256M for log buffer sizes. Individual log buffer ids
  such as main, system, ... override global default.
- Pruning filter is of form of a space-separated list of [~][UID][/PID]
  references, where '~' prefix means to blacklist otherwise whitelist. For
  blacklisting, UID or PID may be a '!' to instead reference the chattiest
  client, with the restriction that the PID must be in the UID group 1000
  (system or AID_SYSTEM).