In commit f4fc922f0b, we tightened the
permissions on various bin directories. Please see
https://android-review.googlesource.com/c/platform/system/core/+/822955
for details.
This change causes the Chase banking app to crash. This is because
the Chase app is using inotify_add_watch() on the /system/bin directory
and not checking the return value.
The Android Security model guarantees the immutability of files in
/system/bin, so the inotify watch is unnecessary.
Until the Chase app fixes their bug, we need to relax the permissions on
the /system/bin directory. Conceptually, this is a partial revert of
f4fc922f0b.
Bug: 119605322
Test: compiles
Change-Id: Ic72dd24cb27cff677093963bdfd0ae09bf132e08
Currently, /system/bin, /system/xbin, /product/bin, and /vendor/bin
are 0755, which allows any process to iterate through those
directories and list out the contents. For the vast majority of
processes, this is unnecessary. They only need to know whether a
particular binary exists or doesn't exist, but they don't need to
know the other binaries within those directories.
Allowing this is particularly problematic for SELinux. In particular,
some third party Android applications try to examine every file in
the bin directories, generating SELinux audit noise along the
way. This audit noise makes it harder to see real bugs, and falsely
implies an architectural dependency between the application and random
files in directories like /system/bin.
This change removes the ability to list the contents of the various bin
directories, preventing random probing by such apps. The ability to
execute files, or to probe a specific file by name, remain unchanged.
Addresses SELinux denials similar to the following:
avc: denied { getattr } for comm="Thread-11" path="/system/bin/atrace" dev="dm-0" ino=189 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:atrace_exec:s0 tclass=file permissive=0 app=uk.co.santander.santanderUK
avc: denied { getattr } for comm="Binder:26637_2" path="/system/bin/atrace" dev="dm-0" ino=168 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:atrace_exec:s0 tclass=file permissive=0 app=com.tencent.mm
avc: denied { getattr } for comm="Thread-12" path="/system/bin/apexd" dev="dm-0" ino=451 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:apexd_exec:s0 tclass=file permissive=1 app=com.grppl.android.shell.CMBlloydsTSB73
Shell access to these directories continues to be allowed, to allow for
host-side CTS tests.
Also adjust the indentation of some clang directives, to make the
presubmit hooks happy.
Test: Device boots and no apparent problems.
Change-Id: Ibe75682fac1983d39f3f479a5850ab5a96f6627d
Attempting to reduce the number of different spellings we have for
"product services" partition in the codebase.
Bug: 112431447
Test: m
Change-Id: I1a87d7e040a8b1f91f973ac7d90d6360b5b54f71
Merged-In: I1a87d7e040a8b1f91f973ac7d90d6360b5b54f71
This CL is largely and adaptation of
Ie996def20e25dc1afe0c74af2096af844934b2dc
Bug: 80741439
Test: Successfully built product-services.img with one module in it, and
flashed on device. Also successfully built image with
/system/product-services and no dedicated /product-services partition.
Change-Id: I1046dfe19bf874da929c9131b76a1f85422fbb80
This change removes the CAP_SYSLOG file based capability from bootstat,
since the intention is that it should not be accessing the logs in the
long term. In order to avoid bitrot, the fallback code that depends on
CAP_SYSLOG has also been removed.
Bug: 62845925
Test: system/core/bootstat/boot_reason_test.sh
Change-Id: I899be44ef3ac1c4d81072f801d55c928ae09bb15
This change moves logd's capabilities from being file based to being set
by init through ambient capabilities.
Bug: 62845925
Test: sailfish:/ # grep Cap /proc/`pidof logd`/status
CapInh: 0000000000000000
CapPrm: 0000000440000000
CapEff: 0000000440000000
CapBnd: 0000000440000040
CapAmb: 0000000000000000
$ capsh --decode=0x440000040
0x440000040=cap_setgid,cap_audit_control,cap_syslog
Test: liblog-unit-tests, logd-unit-tests, logcat-unit-tests
Change-Id: I28c7c4ad37ad5eafd399aef78c303ce31298a9ef
Normally, the whole configfs is mounted on /config and /config will be
word readable:
sailfish:/ $ ls -ld /config/*
drwxrwx--- 258 system package_info 0 2018-05-08 16:08 /config/sdcardfs
sailfish:/ $ ls -ld /config/
drwxr-xr-x 3 root root 0 1969-12-31 16:00 /config/
On ARC++, we only mount-bind config/sdcardfs, so it is important that
/config is set properly.
It is actually 0500, so system could not see /config/sdcardfs, even if
/config/sdcardfs is set properly:
Although root can, as system uid, we can not reach /config/sdcardfs:
:/ $ ls -ld /config
dr-x------ 3 root root 31 2018-05-02 21:56 /config
:/ $ ls -ld /config/sdcardfs
ls: /config/sdcardfs: Permission denied
With this change, system (and systemservice) is able to reach
/config/sdcardfs:
:/ $ ls -ld /config
dr-xr-xr-x 3 root root 31 2018-05-02 21:56 /config
:/ $ ls -ld /config/sdcardfs
drwxrwx--- 109 system package_info 0 2018-05-08 15:29 /config/sdcardfs
Bug: 63876697
Test: After change, package service is able to create the bindings in
/config/sdcardfs.
Change-Id: I7e9b99d7af2ad001fbb1b95bee35d494e861be78
Signed-off-by: Gwendal Grignou <gwendal@google.com>
Their capability bits are now specified in their associated init .rc
file, which is the proper place for this to be done.
A notice is added to guide developers away from using android_files to
give services Linux capabilities and to guide them away from adding
vendor/ entries.
Bug: 74554159
Test: BT, Wifi, Tethering work on walleye
Merged-In: I13c425d022b4f5c217587cdf601884ef44650ac7
Change-Id: I13c425d022b4f5c217587cdf601884ef44650ac7
(cherry picked from commit b5e5c56401)
Their capability bits are now specified in their associated init .rc
file, which is the proper place for this to be done.
A notice is added to guide developers away from using android_files to
give services Linux capabilities and to guide them away from adding
vendor/ entries.
Bug: 74554159
Test: BT, Wifi, Tethering work on walleye
Change-Id: I13c425d022b4f5c217587cdf601884ef44650ac7
This reverts commit 656b75c77c.
Capability bits are moving from fs_config.cpp to the associated init
scripts for daemons on /vendor.
Bug: 74554159
Test: wifi tethering works on walleye
This process is now spawned from the main app_process zygote, rather
than being its own binary launched by init.
Bug: 63749735
Test: m
Change-Id: I87e00197e1ce64d77b4c306fcd702c6ad778b236
This CL will enable reading /product/build.prop and add product paths
into ld.config.txt.in.
Bug: 64195575
Test: tested with 'PRODUCT_PRODUCT_PROPERTIES := ro.product.abc=abc' on
sailfish
Change-Id: Ie996def20e25dc1afe0c74af2096af844934b2dc
Just the minimial changes to get this to actually build, because otherwise
we always bog down trying to rewrite everything (when the real answer
is usually "stop using libcutils, it's awful").
This doesn't move a handful of files: two are basically just BSD libc
source, a couple have outstanding code reviews, and one can be deleted
(but I'll do that in a separate change).
I'm also skipping the presubmit hooks because otherwise clang-format
wants to reformat everything. I'll follow up with that...
Bug: N/A
Test: builds
Change-Id: I06403f465b67c8e493bad466dd76b1151eed5993
Adding functionality to bootstat --record_boot_complete and
--record_boot_reason to initialize sys.boot.reason, the canonical
system boot reason.
Filter out ro.boot.bootreason oem noise into sys.boot.reason. Add
heuristics to determine what the boot reason is, when otherwise would
be defaulting to the blunt and relatively devoid of detail catch-all
reboot reasons ("reboot", "shutdown", "cold", "warm", "hard").
boot_reason_test.sh is also a compliance test.
Test: boot_reason_test.sh all
Bug: 63736262
Change-Id: Ic9a42cccbcfc89a5c0e081ba66d577a97c8c8c76
/default.prop is moved to /system/etc/prop.default for full Treblized
devices. Modifies property_service to load it from there first.
In recovery mode, the file is renamed as /prop.default. This path is
tried if /system/etc/prop.default is not available.
Bug: 37815285
Test: Tested with ag/2419001. Booted pixel phones, checked the location
of prop.default, verified the symlink at /default.prop, checked a
few properties via adb shell and manually tested a few apps.
Booted to recovery and ran 'adb sideload' successfully.
Change-Id: I485231f21fc86b0aec58edf867e229a31e77d85e
/default.prop may be moved to /system/etc/ and renamed as prop.default.
/{system,vendor,odm}/build.prop may be moved to /{system,vendor,odm}/etc/
and renamed as prop.build.
This patch makes property_service load prop.* from the new locations
first. Also replaces NULL with nullptr for C++ cleanup.
Bug: 37815285
Test: Booted pixel phones, checked the locations of prop.*, verified
symlinks, checked a few properties (via adb shell getprop)
and manually tested a few apps (Camera, Maps etc).
ODM is not tested as it does not exist on the tested device.
Change-Id: Id8eeb3c1a5728dd04005dfad4733b8e6336f9093
For the known partitions entrenched in the build system: vendor, oem
and odm only. We will alias entries that reference system/<partition>
and <partition>/ so that if either are specified, the rule will apply
to both possible paths.
Test: gTest libcutils-tests
Bug: 37703469
Change-Id: Ida9405cbed323489a3d0599c1645e9be2c7b9d08
Private interface to permit testing only added to fs_config to
expose android_files and android_dirs.
Make sure that both paths to a partition are specified in fs_config
internal tables.
Test: gTest libcutils-unit-test --gtest_filter=fs_config.*
Bug: 37703469
Change-Id: Ida5fccdb786dc6d67325005d4fdd1fa1ffaef396
