Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0d2a1dcb authored by Mark Salyzyn's avatar Mark Salyzyn
Browse files

logd: set executable's capabilities in file system 

Add CAP_SYSLOG, CAP_AUDIT_CONTROL and CAP_SETGID, set
uid and gid to AID_LOGD, and permissions user and group
read and execute only.

Fix up indents for in table for clarity.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
      Manually inspect owner and group for /system/bin/logd
Bug: 32450474
Change-Id: I5183ab200dbcd13efb0727cb91db5b12018ae804
parent e0b8ccd1

libcutils/fs_config.c

+19 −7
Original line number Diff line number Diff line
@@ -139,23 +139,35 @@ static const struct fs_path_config android_files[] = { 
    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },



    /* the following files have enhanced capabilities and ARE included in user builds. */

    { 00750, AID_ROOT,      AID_SHELL,     CAP_MASK_LONG(CAP_SETUID) | CAP_MASK_LONG(CAP_SETGID), "system/bin/run-as" },

    { 00700, AID_SYSTEM,    AID_SHELL,     CAP_MASK_LONG(CAP_BLOCK_SUSPEND), "system/bin/inputflinger" },

    { 00550, AID_LOGD,      AID_LOGD,      CAP_MASK_LONG(CAP_SYSLOG) |

                                           CAP_MASK_LONG(CAP_AUDIT_CONTROL) |

                                           CAP_MASK_LONG(CAP_SETGID),

                                              "system/bin/logd" },

    { 00750, AID_ROOT,      AID_SHELL,     CAP_MASK_LONG(CAP_SETUID) |

                                           CAP_MASK_LONG(CAP_SETGID),

                                              "system/bin/run-as" },

    { 00700, AID_SYSTEM,    AID_SHELL,     CAP_MASK_LONG(CAP_BLOCK_SUSPEND),

                                              "system/bin/inputflinger" },



    /* Support hostapd administering a network interface. */

    { 00755, AID_WIFI,      AID_WIFI,      CAP_MASK_LONG(CAP_NET_ADMIN) |

                                          CAP_MASK_LONG(CAP_NET_RAW),    "system/bin/hostapd" },

                                           CAP_MASK_LONG(CAP_NET_RAW),

                                              "system/bin/hostapd" },



    /* Support wifi_hal_legacy administering a network interface. */

    { 00755, AID_WIFI,      AID_WIFI,     CAP_MASK_LONG(CAP_NET_ADMIN) | CAP_MASK_LONG(CAP_NET_RAW),    "system/bin/hw/android.hardware.wifi@1.0-service" },

    { 00755, AID_WIFI,      AID_WIFI,      CAP_MASK_LONG(CAP_NET_ADMIN) |

                                           CAP_MASK_LONG(CAP_NET_RAW),

                                              "system/bin/hw/android.hardware.wifi@1.0-service" },



    /* A non-privileged zygote that spawns isolated processes for web rendering. */

    { 0750,  AID_ROOT,      AID_ROOT,      CAP_MASK_LONG(CAP_SETUID) |

                                           CAP_MASK_LONG(CAP_SETGID) |

                                           CAP_MASK_LONG(CAP_SETPCAP), "system/bin/webview_zygote32" },

                                           CAP_MASK_LONG(CAP_SETPCAP),

                                              "system/bin/webview_zygote32" },

    { 0750,  AID_ROOT,      AID_ROOT,      CAP_MASK_LONG(CAP_SETUID) |

                                           CAP_MASK_LONG(CAP_SETGID) |

                                           CAP_MASK_LONG(CAP_SETPCAP), "system/bin/webview_zygote64" },

                                           CAP_MASK_LONG(CAP_SETPCAP),

                                              "system/bin/webview_zygote64" },



    { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/uncrypt" },

    { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/install-recovery.sh" },