Relax permissions on /data/misc/logd
Incidentd needs to access /data/misc/logd to get persisted logs for
debugging purposes. Relax permissions on /data/misc/logd to allow
group (log) to access the dir and read its files. Effectively change
to:
drwxr-x--- logd log /data/misc/logd
-rw-r----- logd log /data/misc/logd/logcat*
Since this dir stores the past output of logcat, anyone that can run
logcat can be granted access to this dir. Access to this dir is further
guarded by SELinux. So it is safe.
Bug: 147924172
Test: Build, flash, reboot. Verify that the files have the right
permissions.
Change-Id: I4d2aa9d5883d1ef14411b2b3902f0ca7c641dd7e
diff --git a/logcat/logcat.cpp b/logcat/logcat.cpp
index 7b18438..08e3d22 100644
--- a/logcat/logcat.cpp
+++ b/logcat/logcat.cpp
@@ -110,7 +110,7 @@
#endif
static int openLogFile(const char* pathname, size_t sizeKB) {
- int fd = open(pathname, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ int fd = open(pathname, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP);
if (fd < 0) {
return fd;
}
diff --git a/logcat/logcatd b/logcat/logcatd
index 622e567..5a1415d 100755
--- a/logcat/logcatd
+++ b/logcat/logcatd
@@ -4,6 +4,10 @@
# first reads the 'last' logcat to persistent storage with `-L` then run logcat again without
# `-L` to read the current logcat buffers to persistent storage.
+# init sets the umask to 077 for forked processes. logpersist needs to create files that are group
+# readable. So relax the umask to only disallow group wx and world rwx.
+umask 037
+
has_last="false"
for arg in "$@"; do
if [ "$arg" == "-L" -o "$arg" == "--last" ]; then
diff --git a/logcat/logcatd.rc b/logcat/logcatd.rc
index e986184..64d5500 100644
--- a/logcat/logcatd.rc
+++ b/logcat/logcatd.rc
@@ -30,8 +30,8 @@
setprop logd.logpersistd.enable true
on property:logd.logpersistd.enable=true && property:logd.logpersistd=logcatd
- # all exec/services are called with umask(077), so no gain beyond 0700
- mkdir /data/misc/logd 0700 logd log
+ # log group should be able to read persisted logs
+ mkdir /data/misc/logd 0750 logd log
start logcatd
# stop logcatd service and clear data
diff --git a/logd/logtagd.rc b/logd/logtagd.rc
index 46aa8c1..248a78c 100644
--- a/logd/logtagd.rc
+++ b/logd/logtagd.rc
@@ -2,7 +2,7 @@
# logtagd event log tag service (debug only)
#
on post-fs-data
- mkdir /data/misc/logd 0700 logd log
+ mkdir /data/misc/logd 0750 logd log
write /data/misc/logd/event-log-tags ""
chown logd log /data/misc/logd/event-log-tags
chmod 0600 /data/misc/logd/event-log-tags