Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
goldfish is ported to linux-3.4 and have capability to run atrace.
But can't run atrace yet because debugfs is not mounted on boot time.
Change-Id: I0ce23bde3b8d1b2a88d4238272123e3ab8cb6970
Signed-off-by: Young-Ho Cha <ganadist@gmail.com>
Allow userspace programs to create IPPROTO_ICMP sockets.
This socket type allows an unprivileged program to safely
send ICMP_ECHO messages and receive the corresponding
ICMP_ECHOREPLY messages, without relying on raw sockets or
setuid programs.
Please see http://lwn.net/Articles/443051/ for details.
In particular, this allows us to use a version of ping
which doesn't have any capabilities
(https://android-review.googlesource.com/52072).
In addition, this allows us to safely implement an IPv4 ICMP
based version of InetAddress.isReachable()
(https://code.google.com/p/android/issues/detail?id=20106)
Change-Id: I876718151efa8219c4f34f573e35e21256fe2316
This can cause init to be stucked in a loop in very rare cases where
persist.sys.usb.config is set to "none" (because the "setprop
sys.usb.config none" action is added twice to the action list).
The original issue on encrypted devices has been fixed differently
by change # I350c5aab986f8ca86b95f316398d03012553e581
This reverts commit 80828af3de.
Change-Id: Id0a7af8dd861c8d10b80a13b540c8a339b432007
This will help get rid of android_aid.h in the kernel.
The group of the proc entries will be used in place of the default
values picked up by the xt_qtaguid netfilter module
(AID_NET_BW_STATS, AID_NET_BW_ACCT).
This change has no effect until the matching kernel changes are submitted.
Change-Id: I3c177e7b5caf9c59300eba6bd4a976634b333674
On encrypted devices, persistent properties are loaded after the device
is decrypted. To properly change sys.usb.config to its persistent value,
it must first be set to "none" and then to ${persist.sys.usb.config}.
Bug: 7678835
Change-Id: I4f91245cedc04e3178ce9cee21390f5b657733c9
This is necessary for some HWC hals to be able to communicate with
secure side to grant protected access to hardware owned by the
hwc. This is necessary on some architectures to grant access to
secure buffers to overlay/csc hardware
Change-Id: I4e4becba5b4a80310ce8932edea5d0d046fa9b00
Signed-off-by: Dima Zavin <dima@android.com>
When vold mounts things in /mnt/secure/staging, it expects to MS_MOVE
those mountpoints when vetting is finished. However, the kernel
doesn't allow MS_MOVE when the source is shared to child namespaces.
To work around this, create a tmpfs at /mnt/secure and mark it as
private (not shared). Verified that vold can now successfully move
from the staging area.
Bug: 7094858
Change-Id: I5e05b1005c63efa277935c9bbd18cbf3ffdd47a3
Define /storage as top-level concept, so that we enforce permissions
uniformly. Moves external storage paths from headers to per-device
environment variables. Added missing mount flags, and we no longer
have adb-specific external storage.
Bug: 6925012
Change-Id: Ic7ca953be2f552d3f0ec9e69f89fef751daa1b29
Also remove mount() from adb, since it can come online long before
data partition is ready. Set EXTERNAL_STORAGE environment variable
to point to owner for backwards compatibility.
Bug: 7005701
Change-Id: I63444f6636624eb7ad89f053daa289663424639e
Remount rootfs as recursively shared, so that mount changes are
propagated into child namespaces. Mount external storage for access
from adb.
Clean multi-user dependencies for use in Dalvik. Also define
external storage paths.
Bug: 6925012
Change-Id: I375de581a63f4f36667894c56a34a9dd45361e8f
To support runtime policy management, add support for reloading
policy from /data/system. This can be triggered by setting the
selinux.loadpolicy property to 1, whether from init.rc after
mounting /data or from the system_server (e.g. upon invocation of
a new device admin API for provisioning policy). ueventd and
installd are restarted upon policy reloads to pick up the new
policy configurations relevant to their operation.
Change-Id: I97479aecef8cec23b32f60e09cc778cc5520b691
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
chown /proc/last_kmsg to user system group log during init, and
chmod it to readable only by user and group.
Bug: 6925227
Change-Id: I645b6a2d4fecc01a2bd4b7fa7ed6aae3ef638cb9
Set the security context for the init process.
Restore the security contexts of /cache and /data in case they were reset.
Specify the security context for services launched from the rootfs since
we cannot label their executables.
If on the emulator, set a policy boolean and restore the context of
/sys/qemu_trace to allow accesses not normally permitted on a device.
Change-Id: I166ffc267e8e0543732e7118eb0fd4b031efac3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This device is required by libdrm for GPUs like IvyBridge.
Change-Id: I0ac47056a9cec2100f3e6eaa5591571fe6bbc145
Signed-off-by: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This change adds init.rc steps to:
* allow kernel tracing to be enabled via adb
* allow a limited set of kernel trace events to be enabled via adb
* allow the kernel trace to be read via adb
* allow all users to write to the kernel trace from userland
Bug: 6513400
Change-Id: Ic3c189b5697aa5edf88d2f507c932971bed6caff
With this change, the audio rr/fifo threads will just run in
the fg cgroup.
Also, the RR budget for the apps fg/bg threads has been bumped
to 80%. Ideally, the bg budget would be much smaller but there
are legacy libraries that seem to be very sensitive to this so
for now keep it at this value.
Bug: 6528015
Change-Id: I08f295e7ba195a449b96cd79d954b0529cee8636
Signed-off-by: Dima Zavin <dima@android.com>
GPS on yakju puts SCHED_RR threads in the fg and bg groups, and
is unhappy with 0.1% limits. Increase the limits to 10%.
Change-Id: I971c9b0a815890d41694b965fdd2b023937a4411
rt_runtime_us=0 can cause deadlocks if a SCHED_FIFO/SCHED_RR thread
is moved into the wrong cgroup.
Change-Id: I4633392fb529039dff6ba5d3a6b672e0de9fc2d9
DRM server process needs to be able to access movies on sdcard
to acquire rights.
related-to-bug: 6414503
Change-Id: If90404e32fd437b8fb7d5a6ec8dfb30a499ef733
CVE-2011-3918: Address denial of service attack against Android's
zygote process. This change enforces that only UID=system can
directly connect to zygote to spawn processes.
Change-Id: I89f5f05fa44ba8582920b66854df3e79527ae067
Forward locked apps on internal storage will be stored in ASEC
containers using ext4. This way permissions can be preserved whether on
internal or external storage.
Change-Id: I942f8f0743c210330a11e2b1d0204df7a5ddb2ae
This change adds init.rc steps to allow kernel tracing to support inserting
messages from any userland process.
Change-Id: I01970728d7132a25408fed09a213a015ac05ccaf
With newer Android kernels, anyone can read from the files in
/dev/log. If you're in the logs group (have the READ_LOGS) permission,
you'll see all entries. If you're not in that group, you'll see
log messages associated with your UID.
Relax the permissions on the files in /dev/log/ to allow an application
to read it's own log messages.
Bug: 5748848
Change-Id: Ie740284e96a69567dc73d738117316f938491777
This is part of the multi-project commit to move the filter-framework
from system/media/mca to frameworks/base/media/mca.
Note that the filter-framework will soon be replaced with a refactored
version currently under API review (also to go under frameworks/base).
This move is done now to unblock the PDK efforts.
Change-Id: I87d034a30bb4b98a85a028cb728e37fb97256039
Make the drm server run as UID=drm, GID=drm. This ensures that
any files created by the drmserver app do not have GID=system.
Bug: 5834297
Change-Id: I3409ad350e9cc82bb0982cdbe470ec1f10b1ca67
Android developers should never place files in /data/local/tmp.
Files or directories in /data/local/tmp can be minipulated by the
shell user.
Android developers should never create world-writable files
or directories. This is a common source of security vulnerabilities.
Change-Id: I6d2cd620ab49d8ca3f39282f7d2ed682a9ba91c3
The keystore service needs to access hardware crypto devices to
fulfill its function on devices with hardware crypto. This role
was assigned to the (now misnamed) drmrpc group.
Change-Id: Ia32f9e96b4372f0974984451680f9a0f6157aa01
CVE-2011-3918: Address denial of service attack against Android's
zygote process. This change enforces that only UID=system can
directly connect to zygote to spawn processes.
Change-Id: I89f5f05fa44ba8582920b66854df3e79527ae067
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Set dmesg_restrict to 1 to help limit inadvertent information leaks
from the kernel to non-privileged programs. Root and programs with
CAP_SYSLOG will continue to have access to dmesg output.
See "dmesg_restrict" in Documentation/sysctl/kernel.txt from the
Linux kernel source code.
Bug: 5585365
Change-Id: Iffcf060ea4bd446ab9acf62b8b61d315d4ec4633
Otherwise, ueventd's oom_adj value would have been 0 and it could
easily get killed early during low memory events
Change-Id: I1adbd18c37215b26ae77e70f7b8dbd1e143fc2d4
Signed-off-by: Dima Zavin <dima@android.com>
To make writing kernel exploits harder, set /proc/sys/kernel/kptr_restrict
to "2". This prohibits users from accessing kernel symbols via /proc/kallsyms
Bug: 5555668
Change-Id: Ib31cb6fcb4d212a0b570ce9e73ae31f721ed801b
Keun-young Park