Loading logd/Android.mk +2 −1 Original line number Diff line number Diff line Loading @@ -28,7 +28,8 @@ LOCAL_SHARED_LIBRARIES := \ liblog \ libcutils \ libbase \ libpackagelistparser libpackagelistparser \ libminijail # This is what we want to do: # event_logtags = $(shell \ Loading logd/main.cpp +11 −38 Original line number Diff line number Diff line Loading @@ -36,12 +36,15 @@ #include <cstdbool> #include <memory> #include <android-base/macros.h> #include <cutils/properties.h> #include <cutils/sched_policy.h> #include <cutils/sockets.h> #include <libminijail.h> #include <log/event_tag_map.h> #include <packagelistparser/packagelistparser.h> #include <private/android_filesystem_config.h> #include <scoped_minijail.h> #include <utils/threads.h> #include "CommandListener.h" Loading @@ -65,7 +68,7 @@ // EACCESS if started without precautions (below) // // Here is a cookbook procedure for starting up logd manually assuming // init is out of the way, pedantically all permissions and selinux // init is out of the way, pedantically all permissions and SELinux // security is put back in place: // // setenforce 0 Loading Loading @@ -102,43 +105,13 @@ static int drop_privs() { return -1; } if (prctl(PR_SET_KEEPCAPS, 1) < 0) { return -1; } gid_t groups[] = { AID_READPROC }; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) { return -1; } if (setgid(AID_LOGD) != 0) { return -1; } if (setuid(AID_LOGD) != 0) { return -1; } struct __user_cap_header_struct capheader; struct __user_cap_data_struct capdata[2]; memset(&capheader, 0, sizeof(capheader)); memset(&capdata, 0, sizeof(capdata)); capheader.version = _LINUX_CAPABILITY_VERSION_3; capheader.pid = 0; capdata[CAP_TO_INDEX(CAP_SYSLOG)].permitted = CAP_TO_MASK(CAP_SYSLOG); capdata[CAP_TO_INDEX(CAP_AUDIT_CONTROL)].permitted |= CAP_TO_MASK(CAP_AUDIT_CONTROL); capdata[0].effective = capdata[0].permitted; capdata[1].effective = capdata[1].permitted; capdata[0].inheritable = 0; capdata[1].inheritable = 0; if (capset(&capheader, &capdata[0]) < 0) { return -1; } ScopedMinijail j(minijail_new()); minijail_set_supplementary_gids(j.get(), arraysize(groups), groups); minijail_change_uid(j.get(), AID_LOGD); minijail_change_gid(j.get(), AID_LOGD); minijail_use_caps(j.get(), CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_AUDIT_CONTROL)); minijail_enter(j.get()); return 0; } Loading Loading
logd/Android.mk +2 −1 Original line number Diff line number Diff line Loading @@ -28,7 +28,8 @@ LOCAL_SHARED_LIBRARIES := \ liblog \ libcutils \ libbase \ libpackagelistparser libpackagelistparser \ libminijail # This is what we want to do: # event_logtags = $(shell \ Loading
logd/main.cpp +11 −38 Original line number Diff line number Diff line Loading @@ -36,12 +36,15 @@ #include <cstdbool> #include <memory> #include <android-base/macros.h> #include <cutils/properties.h> #include <cutils/sched_policy.h> #include <cutils/sockets.h> #include <libminijail.h> #include <log/event_tag_map.h> #include <packagelistparser/packagelistparser.h> #include <private/android_filesystem_config.h> #include <scoped_minijail.h> #include <utils/threads.h> #include "CommandListener.h" Loading @@ -65,7 +68,7 @@ // EACCESS if started without precautions (below) // // Here is a cookbook procedure for starting up logd manually assuming // init is out of the way, pedantically all permissions and selinux // init is out of the way, pedantically all permissions and SELinux // security is put back in place: // // setenforce 0 Loading Loading @@ -102,43 +105,13 @@ static int drop_privs() { return -1; } if (prctl(PR_SET_KEEPCAPS, 1) < 0) { return -1; } gid_t groups[] = { AID_READPROC }; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) { return -1; } if (setgid(AID_LOGD) != 0) { return -1; } if (setuid(AID_LOGD) != 0) { return -1; } struct __user_cap_header_struct capheader; struct __user_cap_data_struct capdata[2]; memset(&capheader, 0, sizeof(capheader)); memset(&capdata, 0, sizeof(capdata)); capheader.version = _LINUX_CAPABILITY_VERSION_3; capheader.pid = 0; capdata[CAP_TO_INDEX(CAP_SYSLOG)].permitted = CAP_TO_MASK(CAP_SYSLOG); capdata[CAP_TO_INDEX(CAP_AUDIT_CONTROL)].permitted |= CAP_TO_MASK(CAP_AUDIT_CONTROL); capdata[0].effective = capdata[0].permitted; capdata[1].effective = capdata[1].permitted; capdata[0].inheritable = 0; capdata[1].inheritable = 0; if (capset(&capheader, &capdata[0]) < 0) { return -1; } ScopedMinijail j(minijail_new()); minijail_set_supplementary_gids(j.get(), arraysize(groups), groups); minijail_change_uid(j.get(), AID_LOGD); minijail_change_gid(j.get(), AID_LOGD); minijail_use_caps(j.get(), CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_AUDIT_CONTROL)); minijail_enter(j.get()); return 0; } Loading
