diff options
| author | Nick Kralevich <nnk@google.com> | 2017-02-15 15:12:31 -0800 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2017-02-15 15:12:31 -0800 |
| commit | 3082eb7c7253c62a06aa151a80487a4eabd49914 (patch) | |
| tree | e5abbf2253e6f518a60f8be874a636c101153e44 /tools/aapt2/diff/Diff.cpp | |
| parent | 4211358c7448147388c5e4af3e0e5472def83a3b (diff) | |
system_server: add CAP_SYS_PTRACE
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. system_server uses this capability to collect
smaps from managed processes. Presumably this was done to avoid the
implications of granting CAP_SYS_PTRACE to system_server.
However, with SELinux enforcement, we can grant CAP_SYS_PTRACE but not
allow ptrace attach() to other processes. The net result of this is that
CAP_SYS_PTRACE and CAP_SYS_RESOURCE have identical security controls, as
long as system_server:process ptrace is never granted.
Add CAP_SYS_PTRACE to the set of capabilities granted to system_server.
Don't delete CAP_SYS_RESOURCE for now. SELinux has blocked the use of
CAP_SYS_RESOURCE, but we still want to generate audit logs if it's
triggered. CAP_SYS_RESOURCE can be deleted in a future commit.
Bug: 34951864
Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Change-Id: I2570266165396dba2b600eac7c42c94800d9c65b
Diffstat (limited to 'tools/aapt2/diff/Diff.cpp')
0 files changed, 0 insertions, 0 deletions