Enable hidepid=2 on /proc
Add the following mount options to the /proc filesystem: hidepid=2,gid=3009 This change blocks /proc access unless you're in group 3009 (aka AID_READPROC). Please see https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt for documentation on the hidepid option. hidepid=2 is preferred over hidepid=1 since it leaks less information and doesn't generate SELinux ptrace denials when trying to access /proc without being in the proper group. Add AID_READPROC to processes which need to access /proc entries for other UIDs. Bug: 23310674 Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
This commit is contained in:
Nick Kralevich
parent
7fedfc9570
commit
86ccd4ad3f
1
lmkd.rc
1
lmkd.rc
|
|
@ -1,5 +1,6 @@
|
||||||
service lmkd /system/bin/lmkd
|
service lmkd /system/bin/lmkd
|
||||||
class core
|
class core
|
||||||
|
group root readproc
|
||||||
critical
|
critical
|
||||||
socket lmkd seqpacket 0660 system system
|
socket lmkd seqpacket 0660 system system
|
||||||
writepid /dev/cpuset/system-background/tasks
|
writepid /dev/cpuset/system-background/tasks
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue