From c403ce809747090e959cfb1ea83583d19a19984d Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 15 Feb 2017 15:12:31 -0800 Subject: system_server: add CAP_SYS_PTRACE Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added CAP_SYS_RESOURCE as a capability check which would allow access to sensitive /proc/PID files. system_server uses this capability to collect smaps from managed processes. Presumably this was done to avoid the implications of granting CAP_SYS_PTRACE to system_server. However, with SELinux enforcement, we can grant CAP_SYS_PTRACE but not allow ptrace attach() to other processes. The net result of this is that CAP_SYS_PTRACE and CAP_SYS_RESOURCE have identical security controls, as long as system_server:process ptrace is never granted. Add CAP_SYS_PTRACE to the set of capabilities granted to system_server. Don't delete CAP_SYS_RESOURCE for now. SELinux has blocked the use of CAP_SYS_RESOURCE, but we still want to generate audit logs if it's triggered. CAP_SYS_RESOURCE can be deleted in a future commit. Bug: 34951864 Bug: 38496951 Test: Device boots, functionality remains identical, no sys_resource denials from system_server. Change-Id: I2570266165396dba2b600eac7c42c94800d9c65b (cherry picked from commit 3082eb7c7253c62a06aa151a80487a4eabd49914) (cherry picked from commit 966619d0ab6950fb6c90127b47d493b4c8617878) --- core/java/com/android/internal/os/ZygoteInit.java | 1 + 1 file changed, 1 insertion(+) diff --git a/core/java/com/android/internal/os/ZygoteInit.java b/core/java/com/android/internal/os/ZygoteInit.java index 59283bb2e2e..9114b347373 100644 --- a/core/java/com/android/internal/os/ZygoteInit.java +++ b/core/java/com/android/internal/os/ZygoteInit.java @@ -501,6 +501,7 @@ public class ZygoteInit { OsConstants.CAP_NET_RAW, OsConstants.CAP_SYS_MODULE, OsConstants.CAP_SYS_NICE, + OsConstants.CAP_SYS_PTRACE, OsConstants.CAP_SYS_RESOURCE, OsConstants.CAP_SYS_TIME, OsConstants.CAP_SYS_TTY_CONFIG -- cgit v1.2.3