resolve merge conflicts of a742d10 to nyc-dev-plus-aosp
Change-Id: Icf3257ee8a47f31ba812a5f47899b8022f4eedb7
diff --git a/logd/Android.mk b/logd/Android.mk
index 203943c..feca8d5 100644
--- a/logd/Android.mk
+++ b/logd/Android.mk
@@ -42,10 +42,6 @@
LOCAL_CFLAGS := -Werror $(event_flag)
-ifeq ($(TARGET_BUILD_VARIANT),user)
-LOCAL_CFLAGS += -DAUDITD_ENFORCE_INTEGRITY=true
-endif
-
include $(BUILD_EXECUTABLE)
include $(call first-makefiles-under,$(LOCAL_PATH))
diff --git a/logd/LogAudit.cpp b/logd/LogAudit.cpp
index 4eb5e83..24c3f52 100644
--- a/logd/LogAudit.cpp
+++ b/logd/LogAudit.cpp
@@ -25,9 +25,6 @@
#include <sys/uio.h>
#include <syslog.h>
-#include <string>
-
-#include <cutils/properties.h>
#include <log/logger.h>
#include <private/android_filesystem_config.h>
#include <private/android_logger.h>
@@ -38,10 +35,6 @@
#include "LogKlog.h"
#include "LogReader.h"
-#ifndef AUDITD_ENFORCE_INTEGRITY
-#define AUDITD_ENFORCE_INTEGRITY false
-#endif
-
#define KMSG_PRIORITY(PRI) \
'<', \
'0' + LOG_MAKEPRI(LOG_AUTH, LOG_PRI(PRI)) / 10, \
@@ -53,10 +46,11 @@
logbuf(buf),
reader(reader),
fdDmesg(fdDmesg),
- policyLoaded(false),
- rebootToSafeMode(false),
initialized(false) {
- logToDmesg("start");
+ static const char auditd_message[] = { KMSG_PRIORITY(LOG_INFO),
+ 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':',
+ ' ', 's', 't', 'a', 'r', 't', '\n' };
+ write(fdDmesg, auditd_message, sizeof(auditd_message));
}
bool LogAudit::onDataAvailable(SocketClient *cli) {
@@ -82,55 +76,6 @@
return true;
}
-void LogAudit::logToDmesg(const std::string& str)
-{
- static const char prefix[] = { KMSG_PRIORITY(LOG_INFO),
- 'l', 'o', 'g', 'd', '.', 'a', 'u', 'd', 'i', 't', 'd', ':',
- ' ', '\0' };
- std::string message = prefix + str + "\n";
- write(fdDmesg, message.c_str(), message.length());
-}
-
-std::string LogAudit::getProperty(const std::string& name)
-{
- char value[PROP_VALUE_MAX] = {0};
- property_get(name.c_str(), value, "");
- return value;
-}
-
-void LogAudit::enforceIntegrity() {
- static bool loggedOnce;
- bool once = loggedOnce;
-
- loggedOnce = true;
-
- if (!AUDITD_ENFORCE_INTEGRITY) {
- if (!once) {
- logToDmesg("integrity enforcement suppressed; not rebooting");
- }
- } else if (rebootToSafeMode) {
- if (getProperty("persist.sys.safemode") == "1") {
- if (!once) {
- logToDmesg("integrity enforcement suppressed; in safe mode");
- }
- return;
- }
-
- logToDmesg("enforcing integrity; rebooting to safe mode");
- property_set("persist.sys.safemode", "1");
-
- std::string buildDate = getProperty("ro.build.date.utc");
- if (!buildDate.empty()) {
- property_set("persist.sys.audit_safemode", buildDate.c_str());
- }
-
- property_set("sys.powerctl", "reboot");
- } else {
- logToDmesg("enforcing integrity: rebooting to recovery");
- property_set("sys.powerctl", "reboot,recovery");
- }
-}
-
int LogAudit::logPrint(const char *fmt, ...) {
if (fmt == NULL) {
return -EINVAL;
@@ -152,31 +97,7 @@
memmove(cp, cp + 1, strlen(cp + 1) + 1);
}
- bool loaded = strstr(str, " policy loaded ");
-
- if (loaded) {
- if (policyLoaded) {
- // SELinux policy changes are not allowed
- enforceIntegrity();
- } else {
- logToDmesg("policy loaded");
- policyLoaded = true;
- }
- }
-
- // Note: The audit log can include untrusted strings, but those containing
- // "a control character, unprintable character, double quote mark, or a
- // space" are hex encoded. The space character before the search term is
- // therefore needed to prevent denial of service. Do not remove the space.
- bool permissive = strstr(str, " enforcing=0") ||
- strstr(str, " permissive=1");
-
- if (permissive) {
- // SELinux in permissive mode is not allowed
- enforceIntegrity();
- }
-
- bool info = loaded || permissive;
+ bool info = strstr(str, " permissive=1") || strstr(str, " policy loaded ");
if ((fdDmesg >= 0) && initialized) {
struct iovec iov[3];
static const char log_info[] = { KMSG_PRIORITY(LOG_INFO) };
diff --git a/logd/LogAudit.h b/logd/LogAudit.h
index 3a84541..ab30e28 100644
--- a/logd/LogAudit.h
+++ b/logd/LogAudit.h
@@ -27,15 +27,12 @@
LogBuffer *logbuf;
LogReader *reader;
int fdDmesg;
- bool policyLoaded;
- bool rebootToSafeMode;
bool initialized;
public:
LogAudit(LogBuffer *buf, LogReader *reader, int fdDmesg);
int log(char *buf, size_t len);
bool isMonotonic() { return logbuf->isMonotonic(); }
- void allowSafeMode(bool allow = true) { rebootToSafeMode = allow; }
protected:
virtual bool onDataAvailable(SocketClient *cli);
@@ -44,9 +41,6 @@
static int getLogSocket();
int logPrint(const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 2, 3)));
- void logToDmesg(const std::string& str);
- std::string getProperty(const std::string& name);
- void enforceIntegrity();
};
#endif
diff --git a/logd/README.property b/logd/README.property
index 4bc5541..6200d3e 100644
--- a/logd/README.property
+++ b/logd/README.property
@@ -1,6 +1,7 @@
The properties that logd responds to are:
name type default description
+ro.logd.auditd bool true Enable selinux audit daemon
ro.logd.auditd.dmesg bool true selinux audit messages duplicated and
sent on to dmesg log
persist.logd.security bool false Enable security buffer.
diff --git a/logd/main.cpp b/logd/main.cpp
index 3095f7f..19946b7 100644
--- a/logd/main.cpp
+++ b/logd/main.cpp
@@ -245,7 +245,6 @@
static sem_t reinit;
static bool reinit_running = false;
static LogBuffer *logBuf = NULL;
-static LogAudit *logAudit = NULL;
static bool package_list_parser_cb(pkg_info *info, void * /* userdata */) {
@@ -296,10 +295,6 @@
logBuf->init();
logBuf->initPrune(NULL);
}
-
- if (logAudit) {
- logAudit->allowSafeMode();
- }
}
return NULL;
@@ -520,19 +515,25 @@
// initiated log messages. New log entries are added to LogBuffer
// and LogReader is notified to send updates to connected clients.
- logAudit = new LogAudit(logBuf, reader,
- property_get_bool("logd.auditd.dmesg",
- BOOL_DEFAULT_TRUE |
- BOOL_DEFAULT_FLAG_PERSIST)
- ? fdDmesg
- : -1);
+ bool auditd = property_get_bool("logd.auditd",
+ BOOL_DEFAULT_TRUE |
+ BOOL_DEFAULT_FLAG_PERSIST);
+ LogAudit *al = NULL;
+ if (auditd) {
+ al = new LogAudit(logBuf, reader,
+ property_get_bool("logd.auditd.dmesg",
+ BOOL_DEFAULT_TRUE |
+ BOOL_DEFAULT_FLAG_PERSIST)
+ ? fdDmesg
+ : -1);
+ }
LogKlog *kl = NULL;
if (klogd) {
- kl = new LogKlog(logBuf, reader, fdDmesg, fdPmesg, logAudit != NULL);
+ kl = new LogKlog(logBuf, reader, fdDmesg, fdPmesg, al != NULL);
}
- readDmesg(logAudit, kl);
+ readDmesg(al, kl);
// failure is an option ... messages are in dmesg (required by standard)
@@ -540,9 +541,8 @@
delete kl;
}
- if (logAudit && logAudit->startListener()) {
- delete logAudit;
- logAudit = NULL;
+ if (al && al->startListener()) {
+ delete al;
}
TEMP_FAILURE_RETRY(pause());