diff options
author | Mark Salyzyn <salyzyn@google.com> | 2018-10-22 15:52:32 -0700 |
---|---|---|
committer | Mark Salyzyn <salyzyn@google.com> | 2018-10-22 16:11:02 -0700 |
commit | e81ede85c7f8cb98653487cab5844ab6e9fce28c (patch) | |
tree | abc6145808f6b1a5d3866c2ccd092780f0cf1cde /llkd | |
parent | 190fd10913c8073d7eea5117daaa77e6107bb612 (diff) | |
download | system_core-e81ede85c7f8cb98653487cab5844ab6e9fce28c.tar.gz system_core-e81ede85c7f8cb98653487cab5844ab6e9fce28c.tar.bz2 system_core-e81ede85c7f8cb98653487cab5844ab6e9fce28c.zip |
llkd: Skip apexd for process checks
apexd is a sensitive daemon, and the ability to ptrace this domain is
restricted by SELinux policy. apexd spawns a binder thread which
makes matching difficult, as we would instead need to use
/system/bin/apexd as the blacklist key.
Change llkd to also check for a match on the basename of the
executable path. This will solve a gotcha expectation when creating
a blacklist key.
Without this change, llkd continues to generate SELinux denials of
type=1400 audit(0.0:1764): avc: denied { ptrace } for comm="llkd" scontext=u:r:llkd:s0 tcontext=u:r:apexd:s0 tclass=process permissive=0
Commit 5390b9add4e567eeeeeabc3d39d588c21cb5d543 was originally intended
to fix these denials, but it seems to have had no effect and the denials
are still being generated. This change will fix it.
Test: none
Change-Id: I00aa10dfff30c65a120ad30582b820e2d4b1bb38
Diffstat (limited to 'llkd')
-rw-r--r-- | llkd/include/llkd.h | 4 | ||||
-rw-r--r-- | llkd/libllkd.cpp | 10 |
2 files changed, 10 insertions, 4 deletions
diff --git a/llkd/include/llkd.h b/llkd/include/llkd.h index 4d39dd917..2c62fca94 100644 --- a/llkd/include/llkd.h +++ b/llkd/include/llkd.h @@ -51,13 +51,13 @@ unsigned llkCheckMilliseconds(void); #define LLK_CHECK_STACK_DEFAULT "cma_alloc,__get_user_pages" #define LLK_BLACKLIST_PROCESS_PROPERTY "ro.llk.blacklist.process" #define LLK_BLACKLIST_PROCESS_DEFAULT \ - "0,1,2,init,[kthreadd],[khungtaskd],lmkd,lmkd.llkd,llkd,watchdogd,[watchdogd],[watchdogd/0]" + "0,1,2,init,[kthreadd],[khungtaskd],lmkd,llkd,watchdogd,[watchdogd],[watchdogd/0]" #define LLK_BLACKLIST_PARENT_PROPERTY "ro.llk.blacklist.parent" #define LLK_BLACKLIST_PARENT_DEFAULT "0,2,[kthreadd]" #define LLK_BLACKLIST_UID_PROPERTY "ro.llk.blacklist.uid" #define LLK_BLACKLIST_UID_DEFAULT "" #define LLK_BLACKLIST_STACK_PROPERTY "ro.llk.blacklist.process.stack" -#define LLK_BLACKLIST_STACK_DEFAULT "init,lmkd.llkd,llkd,keystore,/system/bin/keystore,ueventd,apexd" +#define LLK_BLACKLIST_STACK_DEFAULT "init,lmkd.llkd,llkd,keystore,ueventd,apexd" /* clang-format on */ __END_DECLS diff --git a/llkd/libllkd.cpp b/llkd/libllkd.cpp index 6840ed09b..2727aab94 100644 --- a/llkd/libllkd.cpp +++ b/llkd/libllkd.cpp @@ -712,6 +712,7 @@ bool llkCheckStack(proc* procp, const std::string& piddir) { if (llkSkipName(std::to_string(procp->pid), llkBlacklistStack)) return false; if (llkSkipName(procp->getComm(), llkBlacklistStack)) return false; if (llkSkipName(procp->getCmdline(), llkBlacklistStack)) return false; + if (llkSkipName(android::base::Basename(procp->getCmdline()), llkBlacklistStack)) return false; auto kernel_stack = ReadFile(piddir + "/stack"); if (kernel_stack.empty()) { @@ -995,13 +996,18 @@ milliseconds llkCheck(bool checkRunning) { if (llkSkipName(procp->getCmdline())) { break; } + if (llkSkipName(android::base::Basename(procp->getCmdline()))) { + break; + } auto pprocp = llkTidLookup(ppid); if (pprocp == nullptr) { pprocp = llkTidAlloc(ppid, ppid, 0, "", 0, '?'); } - if ((pprocp != nullptr) && (llkSkipName(pprocp->getComm(), llkBlacklistParent) || - llkSkipName(pprocp->getCmdline(), llkBlacklistParent))) { + if ((pprocp != nullptr) && + (llkSkipName(pprocp->getComm(), llkBlacklistParent) || + llkSkipName(pprocp->getCmdline(), llkBlacklistParent) || + llkSkipName(android::base::Basename(pprocp->getCmdline()), llkBlacklistParent))) { break; } |