Keystore 2.0: Add keystore2 to llkd ignore list.

Due to Keystore's handling of sensitive information we cannot allow any other process ptrace privileges over Keystore. To silence SELinux denials llkd must ignore the keystore process. This CL adds keystore2 to the ignore list because it replaces keystore. In a followup the keystore entry will be removed. Bug: 170144267 Test: N/A Change-Id: I28eafc1f4341cdd371ad78d3a7a9ba8ac128c1b1
AospExtended · Mar 15, 2021 · 0284374 · 0284374
1 parent f85f3d6
commit 0284374
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/llkd/README.md b/llkd/README.md
@@ -207,7 +207,7 @@ Comma-separated list of uid numbers or names. Default is empty or false.
 
 The `llkd` does not monitor the specified subset of processes for live lock stack
 signatures. Default is process names
-`init,lmkd.llkd,llkd,keystore,ueventd,apexd,logd`. Prevents the sepolicy
+`init,lmkd.llkd,llkd,keystore,keystore2,ueventd,apexd,logd`. Prevents the sepolicy
 violation associated with processes that block `ptrace` (as these can't be
 checked). **Active only on userdebug and eng builds**. For details on build
 types, refer to [Building Android](/setup/build/building#choose-a-target).

diff --git a/llkd/include/llkd.h b/llkd/include/llkd.h
@@ -60,7 +60,7 @@ unsigned llkCheckMilliseconds(void);
 #define LLK_IGNORELIST_UID_PROPERTY     "ro.llk.ignorelist.uid"
 #define LLK_IGNORELIST_UID_DEFAULT      ""
 #define LLK_IGNORELIST_STACK_PROPERTY   "ro.llk.ignorelist.process.stack"
-#define LLK_IGNORELIST_STACK_DEFAULT    "init,lmkd.llkd,llkd,keystore,ueventd,apexd"
+#define LLK_IGNORELIST_STACK_DEFAULT    "init,lmkd.llkd,llkd,keystore,keystore2,ueventd,apexd"
 /* clang-format on */
 
 __END_DECLS

diff --git a/llkd/libllkd.cpp b/llkd/libllkd.cpp
@@ -115,8 +115,8 @@ std::unordered_map<std::string, std::unordered_set<std::string>> llkIgnorelistPa
 // list of uids, and uid names, to skip, default nothing
 std::unordered_set<std::string> llkIgnorelistUid;
 #ifdef __PTRACE_ENABLED__
-// list of names to skip stack checking. "init", "lmkd", "llkd", "keystore" or
-// "logd" (if not userdebug).
+// list of names to skip stack checking. "init", "lmkd", "llkd", "keystore",
+// "keystore2", or "logd" (if not userdebug).
 std::unordered_set<std::string> llkIgnorelistStack;
 #endif