pa-fazil
/
android_system_core
mirror of https://github.com/fazilsheik96/android_system_core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "host_init_verifier: add check for root services and linux capabilities" 

This reverts commit f1e3bfff40.

Reason for revert: Breaks builds

Bug: 263874232
Change-Id: Iabe5cd01114bf4a3731ace4345da8009e6b86f74
This commit is contained in:
Nikita Ioffe 2022-12-28 16:16:29 +00:00
parent f1e3bfff40
commit 24d1c238ce
2 changed files with 0 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
init/host_init_verifier.cpp
View File

@ -22,7 +22,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <cstdlib>
#include <fstream>
#include <iostream>
#include <iterator>
@ -217,80 +216,6 @@ void HandlePropertyContexts(const std::string& filename,
}
}
bool CheckServiceCapabilities(const ServiceList& service_list,
const std::set<std::string>& system_services) {
static const std::set<std::string> kExemptList = {
"apexd",
"apexd-bootstrap",
"apexd-snapshotde",
"adbd",
"boottrace",
"boringssl_self_test32",
"boringssl_self_test64",
"boringssl_self_test_apex32",
"boringssl_self_test_apex64",
"bsplogstart",
"bugreportd",
"charger",
"clear-bcb",
"composd",
"dumpstate",
"dumpstatez",
"fastbootd",
"gsid",
"installd",
"mmedialogstart",
"mobile_log_d",
// Yes, it's contorl, not control :(
"mobile_log_d_contorl",
"mobile_log_d_sublog_config",
"odsign",
"profcollectd",
"recovery",
"recovery-console",
"servicemanager",
"setup-bcb",
"snapuserd",
"snapuserd_proxy",
"sysproxyd",
"trace_buf_off",
"ueventd",
"uncrypt",
"update_engine",
"update_verifier",
"update_verifier_nonencrypted",
"usbd",
"vold",
"zygote",
"zygote_secondary",
};
bool found_error = false;
for (const auto& service : service_list) {
if (service->uid() != 0) {
continue;
}
// TODO(b/249796710): enable this linter for other partitions as well
if (system_services.count(service->name()) == 0) {
LOG(DEBUG) << "Skipping capabilities check for '" << service->name()
<< "' because it doesn't belong to system partition";
continue;
}
if (!service->capabilities().has_value() && kExemptList.count(service->name()) == 0) {
LOG(ERROR) << "Service '" << service->name() << "' (defined in " << service->filename()
<< ") runs under 'root' user but does not "
<< "specify capabiltiies it needs. This will result in service inheriting "
"all the "
<< "capabilities that 'init' has. Please explicitly specify the "
"capabilities that '"
<< service->name()
<< "' need. If it doesn't need any capabilities then leave the "
"'capabilities' field empty.";
found_error = true;
}
}
return !found_error;
}
int main(int argc, char** argv) {
android::base::InitLogging(argv, &android::base::StdioLogger);
android::base::SetMinimumLogSeverity(android::base::ERROR);
@ -394,17 +319,11 @@ int main(int argc, char** argv) {
parser.AddSectionParser("on", std::make_unique<ActionParser>(&am, GetSubcontext()));
parser.AddSectionParser("import", std::make_unique<HostImportParser>());
std::set<std::string> system_services;
if (!partition_map.empty()) {
for (const auto& p : partition_search_order) {
if (partition_map.find(p) != partition_map.end()) {
parser.ParseConfig(partition_map.at(p) + "etc/init");
}
if (p == "system") {
for (const auto& service : ServiceList::GetInstance()) {
system_services.insert(service->name());
}
}
}
} else {
if (!parser.ParseConfigFileInsecure(*argv)) {
@ -417,9 +336,6 @@ int main(int argc, char** argv) {
LOG(ERROR) << "Failed to parse init scripts with " << failures << " error(s).";
return EXIT_FAILURE;
}
if (!CheckServiceCapabilities(sl, system_services)) {
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}

2
init/service.h
View File

@ -145,8 +145,6 @@ class Service {
const std::string& filename() const { return filename_; }
void set_filename(const std::string& name) { filename_ = name; }
const std::optional<CapSet>& capabilities() const { return capabilities_; }
private:
void NotifyStateChange(const std::string& new_state) const;
void StopOrReset(int how);