diff options
| author | Nick Kralevich <nnk@google.com> | 2014-06-08 15:14:42 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2014-06-08 15:14:42 -0700 |
| commit | c3df8d756291b5258c21335e1266efb941fd7d0a (patch) | |
| tree | e054504d6b554f4abbcce509c91f645faed2453a /include/private/android_filesystem_config.h | |
| parent | 3013615077bbf1ccedaef59181f5e96062ad479a (diff) | |
| download | system_core-c3df8d756291b5258c21335e1266efb941fd7d0a.zip system_core-c3df8d756291b5258c21335e1266efb941fd7d0a.tar.gz system_core-c3df8d756291b5258c21335e1266efb941fd7d0a.tar.bz2 | |
Make su 04750
Currently, /system/xbin/su is world executable. Prior to SELinux
enforcement, anyone (including third party apps) could run su.
The su code itself checks to see if the calling UID is root or shell.
Rather than relying on enforcement within the su binary, modify the
binary so it has group=shell, and remove world-execute permission.
This helps avoid some annoying SELinux denial messages as third party
apps call su on userdebug/eng builds.
Change-Id: I61c9231bb7e201d14ee3a5b6fe81b3fa7b12599f
Diffstat (limited to 'include/private/android_filesystem_config.h')
| -rw-r--r-- | include/private/android_filesystem_config.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h index 03b3506..d8e938e 100644 --- a/include/private/android_filesystem_config.h +++ b/include/private/android_filesystem_config.h @@ -244,7 +244,7 @@ static const struct fs_path_config android_files[] = { /* the following five files are INTENTIONALLY set-uid, but they * are NOT included on user builds. */ - { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" }, + { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" }, { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/librank" }, { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procrank" }, { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" }, |