From 028437445eb21850fd35d6afc5aee31206b93d8f Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Mon, 15 Mar 2021 09:17:58 -0700 Subject: [PATCH] Keystore 2.0: Add keystore2 to llkd ignore list. Due to Keystore's handling of sensitive information we cannot allow any other process ptrace privileges over Keystore. To silence SELinux denials llkd must ignore the keystore process. This CL adds keystore2 to the ignore list because it replaces keystore. In a followup the keystore entry will be removed. Bug: 170144267 Test: N/A Change-Id: I28eafc1f4341cdd371ad78d3a7a9ba8ac128c1b1 --- llkd/README.md | 2 +- llkd/include/llkd.h | 2 +- llkd/libllkd.cpp | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/llkd/README.md b/llkd/README.md index 6f92f1474..9bcf806b5 100644 --- a/llkd/README.md +++ b/llkd/README.md @@ -207,7 +207,7 @@ Comma-separated list of uid numbers or names. Default is empty or false. The `llkd` does not monitor the specified subset of processes for live lock stack signatures. Default is process names -`init,lmkd.llkd,llkd,keystore,ueventd,apexd,logd`. Prevents the sepolicy +`init,lmkd.llkd,llkd,keystore,keystore2,ueventd,apexd,logd`. Prevents the sepolicy violation associated with processes that block `ptrace` (as these can't be checked). **Active only on userdebug and eng builds**. For details on build types, refer to [Building Android](/setup/build/building#choose-a-target). diff --git a/llkd/include/llkd.h b/llkd/include/llkd.h index 4b20a56da..0822a3e2b 100644 --- a/llkd/include/llkd.h +++ b/llkd/include/llkd.h @@ -60,7 +60,7 @@ unsigned llkCheckMilliseconds(void); #define LLK_IGNORELIST_UID_PROPERTY "ro.llk.ignorelist.uid" #define LLK_IGNORELIST_UID_DEFAULT "" #define LLK_IGNORELIST_STACK_PROPERTY "ro.llk.ignorelist.process.stack" -#define LLK_IGNORELIST_STACK_DEFAULT "init,lmkd.llkd,llkd,keystore,ueventd,apexd" +#define LLK_IGNORELIST_STACK_DEFAULT "init,lmkd.llkd,llkd,keystore,keystore2,ueventd,apexd" /* clang-format on */ __END_DECLS diff --git a/llkd/libllkd.cpp b/llkd/libllkd.cpp index 9f3e21829..b3101f4c7 100644 --- a/llkd/libllkd.cpp +++ b/llkd/libllkd.cpp @@ -115,8 +115,8 @@ std::unordered_map> llkIgnorelistPa // list of uids, and uid names, to skip, default nothing std::unordered_set llkIgnorelistUid; #ifdef __PTRACE_ENABLED__ -// list of names to skip stack checking. "init", "lmkd", "llkd", "keystore" or -// "logd" (if not userdebug). +// list of names to skip stack checking. "init", "lmkd", "llkd", "keystore", +// "keystore2", or "logd" (if not userdebug). std::unordered_set llkIgnorelistStack; #endif