Enable hidepid=2 on /proc Add the following mount options to the /proc filesystem: hidepid=2,gid=3009 This change blocks /proc access unless you're in group 3009 (aka AID_READPROC). Please see https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt for documentation on the hidepid option. hidepid=2 is preferred over hidepid=1 since it leaks less information and doesn't generate SELinux ptrace denials when trying to access /proc without being in the proper group. Add AID_READPROC to processes which need to access /proc entries for other UIDs. Bug: 23310674 Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa

commit: e08eb02e1240d187c5a0ac273640bcb1466e2eb7 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Nov 07 16:52:17 2015 -0800
committer: Nick Kralevich <nnk@google.com> Mon Nov 09 09:08:46 2015 -0800
tree: a5fca3ab71e1856a75e995c1d8ec81dc55bd56e1
parent: 2e093e74e536ee16cba9e78fc8744d373a0ce092 [diff]
diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp
index 8c3ca63..b8d758f 100644
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp

@@ -142,9 +142,11 @@
     // AID_SDCARD_R to allow reading from the SD card
     // AID_SDCARD_RW to allow writing to the SD card
     // AID_NET_BW_STATS to read out qtaguid statistics
+    // AID_READPROC for reading /proc entries across UID boundaries
     gid_t groups[] = {AID_ADB,      AID_LOG,       AID_INPUT,
                       AID_INET,     AID_NET_BT,    AID_NET_BT_ADMIN,
-                      AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS};
+                      AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS,
+                      AID_READPROC };
     if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) {
         PLOG(FATAL) << "Could not set supplental groups";
     }

diff --git a/debuggerd/debuggerd.rc b/debuggerd/debuggerd.rc
index 4be2e5d..e43fe96 100644
--- a/debuggerd/debuggerd.rc
+++ b/debuggerd/debuggerd.rc

@@ -1,3 +1,4 @@
 service debuggerd /system/bin/debuggerd
     class main
+    group root readproc
     writepid /dev/cpuset/system-background/tasks

diff --git a/debuggerd/debuggerd64.rc b/debuggerd/debuggerd64.rc
index c6e7bf2..35b5af3 100644
--- a/debuggerd/debuggerd64.rc
+++ b/debuggerd/debuggerd64.rc

@@ -1,3 +1,4 @@
 service debuggerd64 /system/bin/debuggerd64
     class main
+    group root readproc
     writepid /dev/cpuset/system-background/tasks

diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h
index c7eb34b..e2133e9 100644
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h

@@ -101,6 +101,7 @@
 #define AID_NET_BW_STATS  3006  /* read bandwidth statistics */
 #define AID_NET_BW_ACCT   3007  /* change bandwidth statistics accounting */
 #define AID_NET_BT_STACK  3008  /* bluetooth: access config files */
+#define AID_READPROC      3009  /* Allow /proc read access */
 
 /* The range 5000-5999 is also reserved for OEM, and must never be used here. */
 #define AID_OEM_RESERVED_2_START 5000
@@ -191,6 +192,7 @@
     { "net_bw_stats",  AID_NET_BW_STATS, },
     { "net_bw_acct",   AID_NET_BW_ACCT, },
     { "net_bt_stack",  AID_NET_BT_STACK, },
+    { "readproc",      AID_READPROC, },
 
     { "everybody",     AID_EVERYBODY, },
     { "misc",          AID_MISC, },

diff --git a/init/init.cpp b/init/init.cpp
index a898b03..49ec509 100644
--- a/init/init.cpp
+++ b/init/init.cpp

@@ -546,7 +546,8 @@
         mkdir("/dev/pts", 0755);
         mkdir("/dev/socket", 0755);
         mount("devpts", "/dev/pts", "devpts", 0, NULL);
-        mount("proc", "/proc", "proc", 0, NULL);
+        #define MAKE_STR(x) __STRING(x)
+        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
         mount("sysfs", "/sys", "sysfs", 0, NULL);
     }
 

diff --git a/lmkd/lmkd.rc b/lmkd/lmkd.rc
index 7d6cb11..3bb84ab 100644
--- a/lmkd/lmkd.rc
+++ b/lmkd/lmkd.rc

@@ -1,5 +1,6 @@
 service lmkd /system/bin/lmkd
     class core
+    group root readproc
     critical
     socket lmkd seqpacket 0660 system system
     writepid /dev/cpuset/system-background/tasks

diff --git a/logd/logd.rc b/logd/logd.rc
index ecd2f0a..10f3553 100644
--- a/logd/logd.rc
+++ b/logd/logd.rc

@@ -3,7 +3,7 @@
     socket logd stream 0666 logd logd
     socket logdr seqpacket 0666 logd logd
     socket logdw dgram 0222 logd logd
-    group root system
+    group root system readproc
     writepid /dev/cpuset/system-background/tasks
 
 service logd-reinit /system/bin/logd --reinit

diff --git a/logd/main.cpp b/logd/main.cpp
index ad577d2..8e75b37 100644
--- a/logd/main.cpp
+++ b/logd/main.cpp

@@ -106,7 +106,9 @@
         return -1;
     }
 
-    if (setgroups(0, NULL) == -1) {
+    gid_t groups[] = { AID_READPROC };
+
+    if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) == -1) {
         return -1;
     }
 

diff --git a/rootdir/init.rc b/rootdir/init.rc
index b80c454..17e87da 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -556,7 +556,7 @@
     console
     disabled
     user shell
-    group shell log
+    group shell log readproc
     seclabel u:r:shell:s0
 
 on property:ro.debuggable=1
commit	e08eb02e1240d187c5a0ac273640bcb1466e2eb7	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Nov 07 16:52:17 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Mon Nov 09 09:08:46 2015 -0800
tree	a5fca3ab71e1856a75e995c1d8ec81dc55bd56e1
parent	2e093e74e536ee16cba9e78fc8744d373a0ce092 [diff]