From 86ccd4ad3f334b199af9acb02cc7437561b72655 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 7 Nov 2015 16:52:17 -0800
Subject: [PATCH] Enable hidepid=2 on /proc

Add the following mount options to the /proc filesystem:

  hidepid=2,gid=3009

This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).

Please see
  https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.

hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.

Add AID_READPROC to processes which need to access /proc entries for
other UIDs.

Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
---
 lmkd.rc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lmkd.rc b/lmkd.rc
index 7d6cb11..3bb84ab 100644
--- a/lmkd.rc
+++ b/lmkd.rc
@@ -1,5 +1,6 @@
 service lmkd /system/bin/lmkd
     class core
+    group root readproc
     critical
     socket lmkd seqpacket 0660 system system
     writepid /dev/cpuset/system-background/tasks