diff options
author | Nick Kralevich <nnk@google.com> | 2017-02-15 15:12:31 -0800 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-05-24 17:22:50 +0000 |
commit | 6b7bffbe57d0daf17298462413a62791e3c6a51e (patch) | |
tree | 5f803d1dbbf68556eb5cc57d68177d1308c76bcc | |
parent | de7cc6b147e66c041bd54ace9c98c20d6ba170f2 (diff) | |
download | base-6b7bffbe57d0daf17298462413a62791e3c6a51e.tar.gz |
system_server: add CAP_SYS_PTRACE
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. system_server uses this capability to collect
smaps from managed processes. Presumably this was done to avoid the
implications of granting CAP_SYS_PTRACE to system_server.
However, with SELinux enforcement, we can grant CAP_SYS_PTRACE but not
allow ptrace attach() to other processes. The net result of this is that
CAP_SYS_PTRACE and CAP_SYS_RESOURCE have identical security controls, as
long as system_server:process ptrace is never granted.
Add CAP_SYS_PTRACE to the set of capabilities granted to system_server.
Don't delete CAP_SYS_RESOURCE for now. SELinux has blocked the use of
CAP_SYS_RESOURCE, but we still want to generate audit logs if it's
triggered. CAP_SYS_RESOURCE can be deleted in a future commit.
Bug: 34951864
Bug: 38496951
Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Change-Id: I2570266165396dba2b600eac7c42c94800d9c65b
(cherry picked from commit 3082eb7c7253c62a06aa151a80487a4eabd49914)
(cherry picked from commit 966619d0ab6950fb6c90127b47d493b4c8617878)
-rw-r--r-- | core/java/com/android/internal/os/ZygoteInit.java | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java index 85fc8b0adec8..d83277ce2eca 100644 --- a/core/java/com/android/internal/os/ZygoteInit.java +++ b/core/java/com/android/internal/os/ZygoteInit.java @@ -644,6 +644,7 @@ public class ZygoteInit { OsConstants.CAP_NET_RAW, OsConstants.CAP_SYS_MODULE, OsConstants.CAP_SYS_NICE, + OsConstants.CAP_SYS_PTRACE, OsConstants.CAP_SYS_RESOURCE, OsConstants.CAP_SYS_TIME, OsConstants.CAP_SYS_TTY_CONFIG |