The mediaserver needs to do communication on behalf of other apps
(browser, ...).
It needs to be able to tag sockets. The kernel will check for net_bw_acct
group membership.
Change-Id: I7fb063fdb7d9435d7f979df6622ff17f34049cbc
Racoon still needs it after dropping root privilege, or pure IPSec VPN
will fail. Mtpd works without it because net_raw implies inet. However
it would be better to set all of them clearly without the assumption.
Change-Id: I50762af2c25ec9cc559e528c7b14f469494fd553
Removed system from mediaserver groups. Not needed anymore
now that AudioFlinger acquires wake locks via PowerManagerService.
Change-Id: I177b968a0a30557d871188bf3991b96d9b391d3c
VPN no longer uses system properties to keep network parameters.
Besides, profiles are now stored and encrypted by keystore.
Change-Id: I7575f04f350b7d8d5ba7008eb874a72180d057e8
There was a regression caused by a change in Honeycomb that removed
mediaserver process from system group to improve security: This prevents
the audio HAL (which runs in mediaserver process) from taking wake locks
while audio is playing thus causing the pcm stream to get unexpectedly
suspended.
This temporary workaround is just to allow ICS dogfood in better conditions until
a real fix taking into account the security issue is implemented.
Change-Id: Ic19a23da4b4383559188b6f5c3a82604c3d95d74
-- This is needed so the modems (LTE & CDMA) are powered on and running
before unlocking encrypted devices
Change-Id: I842f5286499fd76abc554ded550fb837d12b324e
The adb gadget driver used to reset the USB bus when the adbd daemon exited,
and the host side adb relied on this behavior to force it to reconnect
with the new adbd instance after init relaunches it. The new gadget
drivers no longer automatically reset the USB bus when adbd is restarted
which caused adb to hang since it was no longer forced to reconnect with the
device. We attempted to work around this on the host side adb, but that
work around has not been reliable.
This change adds a property trigger on the service.adb.root system property
which will reset the USB bus and restart the adbd daemon when adbd sets
the property to 1. This should be much closer to the previous behavior
and will hopefully fix some problems with automated testing.
Change-Id: I177c37400009a3d83f21a5f9431f94fd1cc19b9b
Signed-off-by: Mike Lockwood <lockwood@android.com>
frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: I768ca8e8e990ff333ce0f7069a0935173498c5ed
Fix for bug 3415286. The persistent properties are normally read early
in the boot process after /data is mounted. However, for an encrypted
system, at that point /data is a tmpfs ramdisk. This change adds a new
command to init (load_persist_props) to read the persistent properties,
and adds an action to init.rc to load the persistent properties. This
action is triggered by setting a property in vold, but that's in a
different CL.
Change-Id: I74b3057974ee6029c29d956b76fef5566700d471
This is to allow OpenGL ES rendering from the system process,
and help with debugging.
Bug: 4086003
Change-Id: I732e95f4fcaa358f430cc195d8e63a69263bffdc
JP Abgrall