be5e446791
In an effort to ensure that our development community does not introduce new code without corresponding SELinux changes, Android closely monitors the number of SELinux denials which occur during boot. This monitoring occurs both in treehugger, as well as various dashboards. If SELinux denials are dropped during early boot, this could result in non-determinism for the various SELinux treehugger tests. Introduce /system/bin/auditctl. This tool, model after https://linux.die.net/man/8/auditctl , allows for configuring the throttling rate for the kernel auditing system. Remove any throttling from early boot. This will hopefully reduce treehugger flakiness by making denial generation more predictible during early boot. Reapply the throttling at boot complete, to avoid denial of service attacks against the auditing subsystem. Delete pre-existing unittests for logd / SELinux integration. It's intended that all throttling decisions be made in the kernel, and shouldn't be a concern of logd. Bug: 118815957 Test: Perform an operation which generates lots of SELinux denials, and count how many occur before and after the time period. Change-Id: I6c787dbdd4a28208dc854b543e1727ae92e5eeed
106 lines
2.4 KiB
Text
106 lines
2.4 KiB
Text
// Copyright (C) 2017 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// This is what we want to do:
|
|
// event_logtags = $(shell
|
|
// sed -n
|
|
// "s/^\([0-9]*\)[ \t]*$1[ \t].*/-D`echo $1 | tr a-z A-Z`_LOG_TAG=\1/p"
|
|
// $(LOCAL_PATH)/$2/event.logtags)
|
|
// event_flag := $(call event_logtags,auditd)
|
|
// event_flag += $(call event_logtags,logd)
|
|
// event_flag += $(call event_logtags,tag_def)
|
|
// so make sure we do not regret hard-coding it as follows:
|
|
event_flag = [
|
|
"-DAUDITD_LOG_TAG=1003",
|
|
"-DCHATTY_LOG_TAG=1004",
|
|
"-DTAG_DEF_LOG_TAG=1005",
|
|
"-DLIBLOG_LOG_TAG=1006",
|
|
]
|
|
|
|
cc_library_static {
|
|
name: "liblogd",
|
|
|
|
srcs: [
|
|
"LogCommand.cpp",
|
|
"CommandListener.cpp",
|
|
"LogListener.cpp",
|
|
"LogReader.cpp",
|
|
"FlushCommand.cpp",
|
|
"LogBuffer.cpp",
|
|
"LogBufferElement.cpp",
|
|
"LogBufferInterface.cpp",
|
|
"LogTimes.cpp",
|
|
"LogStatistics.cpp",
|
|
"LogWhiteBlackList.cpp",
|
|
"libaudit.c",
|
|
"LogAudit.cpp",
|
|
"LogKlog.cpp",
|
|
"LogTags.cpp",
|
|
],
|
|
logtags: ["event.logtags"],
|
|
|
|
shared_libs: ["libbase"],
|
|
|
|
export_include_dirs: ["."],
|
|
|
|
cflags: ["-Werror"] + event_flag,
|
|
}
|
|
|
|
cc_binary {
|
|
name: "logd",
|
|
init_rc: ["logd.rc"],
|
|
|
|
srcs: ["main.cpp"],
|
|
|
|
static_libs: [
|
|
"liblog",
|
|
"liblogd",
|
|
],
|
|
|
|
shared_libs: [
|
|
"libsysutils",
|
|
"libcutils",
|
|
"libbase",
|
|
"libpackagelistparser",
|
|
"libprocessgroup",
|
|
"libcap",
|
|
],
|
|
|
|
cflags: ["-Werror"],
|
|
}
|
|
|
|
cc_binary {
|
|
name: "auditctl",
|
|
|
|
srcs: ["auditctl.cpp"],
|
|
|
|
static_libs: [
|
|
"liblogd",
|
|
],
|
|
|
|
shared_libs: ["libbase"],
|
|
|
|
cflags: [
|
|
"-Wall",
|
|
"-Wextra",
|
|
"-Werror",
|
|
"-Wconversion"
|
|
],
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "logtagd.rc",
|
|
src: "logtagd.rc",
|
|
sub_dir: "init",
|
|
}
|