crash_dump: remove /system/bin/logcat execute permissions
Currently, crash_dump has the following line: read_logd(crash_dump) which is a macro defined as: ##################################### # read_logd(domain) # Ability to run logcat and read from android # log daemon via sockets define(`read_logd', ` allow $1 logcat_exec:file rx_file_perms; unix_socket_connect($1, logdr, logd) ') which grants both the ability to talk directly to a logd socket, as well as the ability to execute the /system/bin/logcat command line tool. This is unneeded (and problematic) for crash_dump. Crash_dump uses standard, vndk approved libraries to talk directly to logd. It never exec()s the (non-vndk approved) logcat command. As crash_dump is a vndk approved component and executed by vendor code, allowing this transitively makes /system/bin/logcat a vndk component too, which we want to avoid. Instead of using the read_logd() macro, just directly add the unix_socket_connect() call. This allows talking directly to logd, but blocks the use of the (unneeded) /system/bin/logcat executable. Test: crasher binary still works when executed from adb shell Change-Id: I1fe9d0f5f0234c96454a0d91338fa2656f083345
Please register or sign in to comment