Merge "Set groups before dropping privileges." into nyc-dev

1 files changed, 10 insertions, 2 deletions

diff --git a/debuggerd/debuggerd.cpp b/debuggerd/debuggerd.cpp
index b90a5e00c..908af107a 100644
--- a/debuggerd/debuggerd.cpp
+++ b/debuggerd/debuggerd.cpp
@@ -513,13 +513,21 @@ static bool perform_dump(const debugger_request_t& request, int fd, int tombston
 }
 
 static bool drop_privileges() {
+  // AID_LOG: for reading the logs data associated with the crashing process.
+  // AID_READPROC: for reading /proc/<PID>/{comm,cmdline}.
+  gid_t groups[] = { AID_DEBUGGERD, AID_LOG, AID_READPROC };
+  if (setgroups(sizeof(groups)/sizeof(groups[0]), groups) != 0) {
+    ALOGE("debuggerd: failed to setgroups: %s", strerror(errno));
+    return false;
+  }
+
   if (setresgid(AID_DEBUGGERD, AID_DEBUGGERD, AID_DEBUGGERD) != 0) {
-    ALOGE("debuggerd: failed to setresgid");
+    ALOGE("debuggerd: failed to setresgid: %s", strerror(errno));
     return false;
   }
 
   if (setresuid(AID_DEBUGGERD, AID_DEBUGGERD, AID_DEBUGGERD) != 0) {
-    ALOGE("debuggerd: failed to setresuid");
+    ALOGE("debuggerd: failed to setresuid: %s", strerror(errno));
     return false;
   }