replace insecure uid spoofing code
The pid_to_exe check is insecure because it does not account for race
conditions. An attacker can arrange for their process to exit and a new
su process to be spawned with their old pid. Instead, just forbid having
setuid privileges in the client (applies to the shell, but not apps) and
rely on the reliable SO_PEERCRED information.
The pid passed over the socket cannot be trusted because that process
can exit with the pid being reused, so it's not possible to validate it
in a meaningful way.
Change-Id: Ia430e9960b17aa97c772b3da78b9a4e5e972599c
2 files changed