Enable hidepid=2 on /proc Add the following mount options to the /proc filesystem: hidepid=2,gid=3009 This change blocks /proc access unless you're in group 3009 (aka AID_READPROC). Please see https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt for documentation on the hidepid option. hidepid=2 is preferred over hidepid=1 since it leaks less information and doesn't generate SELinux ptrace denials when trying to access /proc without being in the proper group. Add AID_READPROC to processes which need to access /proc entries for other UIDs. Bug: 23310674 Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa

commit: c39ba5ae32afb6329d42e61d2941d87ff66d92e3 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Nov 07 16:52:17 2015 -0800
committer: Nick Kralevich <nnk@google.com> Mon Nov 09 09:08:46 2015 -0800
tree: a5fca3ab71e1856a75e995c1d8ec81dc55bd56e1
parent: 54b5e85373619a838641d276a840caad284b09b3 [diff] [blame]
diff --git a/init/init.cpp b/init/init.cpp
index a898b03..49ec509 100644
--- a/init/init.cpp
+++ b/init/init.cpp

@@ -546,7 +546,8 @@
         mkdir("/dev/pts", 0755);
         mkdir("/dev/socket", 0755);
         mount("devpts", "/dev/pts", "devpts", 0, NULL);
-        mount("proc", "/proc", "proc", 0, NULL);
+        #define MAKE_STR(x) __STRING(x)
+        mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
         mount("sysfs", "/sys", "sysfs", 0, NULL);
     }
commit	c39ba5ae32afb6329d42e61d2941d87ff66d92e3	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Nov 07 16:52:17 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Mon Nov 09 09:08:46 2015 -0800
tree	a5fca3ab71e1856a75e995c1d8ec81dc55bd56e1
parent	54b5e85373619a838641d276a840caad284b09b3 [diff] [blame]