Android developers should never place files in /data/local/tmp.
Files or directories in /data/local/tmp can be minipulated by the
shell user.
Android developers should never create world-writable files
or directories. This is a common source of security vulnerabilities.
Change-Id: I6d2cd620ab49d8ca3f39282f7d2ed682a9ba91c3
The keystore service needs to access hardware crypto devices to
fulfill its function on devices with hardware crypto. This role
was assigned to the (now misnamed) drmrpc group.
Change-Id: Ia32f9e96b4372f0974984451680f9a0f6157aa01
CVE-2011-3918: Address denial of service attack against Android's
zygote process. This change enforces that only UID=system can
directly connect to zygote to spawn processes.
Change-Id: I89f5f05fa44ba8582920b66854df3e79527ae067
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Set dmesg_restrict to 1 to help limit inadvertent information leaks
from the kernel to non-privileged programs. Root and programs with
CAP_SYSLOG will continue to have access to dmesg output.
See "dmesg_restrict" in Documentation/sysctl/kernel.txt from the
Linux kernel source code.
Bug: 5585365
Change-Id: Iffcf060ea4bd446ab9acf62b8b61d315d4ec4633
Otherwise, ueventd's oom_adj value would have been 0 and it could
easily get killed early during low memory events
Change-Id: I1adbd18c37215b26ae77e70f7b8dbd1e143fc2d4
Signed-off-by: Dima Zavin <dima@android.com>
To make writing kernel exploits harder, set /proc/sys/kernel/kptr_restrict
to "2". This prohibits users from accessing kernel symbols via /proc/kallsyms
Bug: 5555668
Change-Id: Ib31cb6fcb4d212a0b570ce9e73ae31f721ed801b
Add log group to ril-daemon service. rild is the best place to
know the issue on the modem in many time. It would be helpful
if rild alone can capture the snapshot of logcat buffers at
the moment of problem.
Change-Id: Ie0dcda126fb748a00e650427de35541672359287
The qemu-props program is launched at boot to read a series of
system property assignments from the emulator and apply them.
This is necessary to deal with the dynamic nature of the emulated
platform (e.g. the screen density which depends on the skin and
cannot be hard-coded in the platform image).
This patch ensures that qemu-props is started before any other
service that may read one of these properties (e.g. surface flinger).
This is done by encapsulating the program into a 'core' service.
Core services are all stared before regular ones.
Before the patch, qemu-props was started manually inside a script
that is called from a late emulator-specific boot service
(goldfish-setup).
The problem was that sometimes qemu-props was run too late.
This resulted in random flakiness, especially when running
on a low-end host machine.
Fix for bug 2161189 (and probably a few others)
Change-Id: I2933a25dcb5fecbb1fc238f157264e621b8f295b
The netfilter xt_qtaguid module uses a misc dev so that processes
that use the module can be tracked.
Every process that does socket tagging must open that dev.
Change-Id: I6af3e0f0180637b14455dd9607724523f142c402
Introduces a 'charger' section that is processed when androidboot.mode
supplied on the kernel commandline is "charger".
In this mode, sections such as fs, post-fs, etc are skipped. Only the
'early-init' and 'init' sections of the init rc files are processed before
processing the 'charger' section.
Change-Id: If9eb6334de18f04cbcf2aab784578e2993615242
Signed-off-by: Dima Zavin <dima@android.com>
The mediaserver needs to do communication on behalf of other apps
(browser, ...).
It needs to be able to tag sockets. The kernel will check for net_bw_acct
group membership.
Change-Id: I7fb063fdb7d9435d7f979df6622ff17f34049cbc
Racoon still needs it after dropping root privilege, or pure IPSec VPN
will fail. Mtpd works without it because net_raw implies inet. However
it would be better to set all of them clearly without the assumption.
Change-Id: I50762af2c25ec9cc559e528c7b14f469494fd553
Removed system from mediaserver groups. Not needed anymore
now that AudioFlinger acquires wake locks via PowerManagerService.
Change-Id: I177b968a0a30557d871188bf3991b96d9b391d3c
VPN no longer uses system properties to keep network parameters.
Besides, profiles are now stored and encrypted by keystore.
Change-Id: I7575f04f350b7d8d5ba7008eb874a72180d057e8
There was a regression caused by a change in Honeycomb that removed
mediaserver process from system group to improve security: This prevents
the audio HAL (which runs in mediaserver process) from taking wake locks
while audio is playing thus causing the pcm stream to get unexpectedly
suspended.
This temporary workaround is just to allow ICS dogfood in better conditions until
a real fix taking into account the security issue is implemented.
Change-Id: Ic19a23da4b4383559188b6f5c3a82604c3d95d74
-- This is needed so the modems (LTE & CDMA) are powered on and running
before unlocking encrypted devices
Change-Id: I842f5286499fd76abc554ded550fb837d12b324e
The adb gadget driver used to reset the USB bus when the adbd daemon exited,
and the host side adb relied on this behavior to force it to reconnect
with the new adbd instance after init relaunches it. The new gadget
drivers no longer automatically reset the USB bus when adbd is restarted
which caused adb to hang since it was no longer forced to reconnect with the
device. We attempted to work around this on the host side adb, but that
work around has not been reliable.
This change adds a property trigger on the service.adb.root system property
which will reset the USB bus and restart the adbd daemon when adbd sets
the property to 1. This should be much closer to the previous behavior
and will hopefully fix some problems with automated testing.
Change-Id: I177c37400009a3d83f21a5f9431f94fd1cc19b9b
Signed-off-by: Mike Lockwood <lockwood@android.com>
frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: I768ca8e8e990ff333ce0f7069a0935173498c5ed
Fix for bug 3415286. The persistent properties are normally read early
in the boot process after /data is mounted. However, for an encrypted
system, at that point /data is a tmpfs ramdisk. This change adds a new
command to init (load_persist_props) to read the persistent properties,
and adds an action to init.rc to load the persistent properties. This
action is triggered by setting a property in vold, but that's in a
different CL.
Change-Id: I74b3057974ee6029c29d956b76fef5566700d471
This is to allow OpenGL ES rendering from the system process,
and help with debugging.
Bug: 4086003
Change-Id: I732e95f4fcaa358f430cc195d8e63a69263bffdc
This change forces the start of the RIL daemon used to provide
3G connectivity to the system. It should normally be started
automatically by init.rc but there is a bug within
system/core/init/builtins.c that prevents this to happen.
Fixes the "No network connectivity" bug while the network
interface and route were properly setup.
Change-Id: Ieec0f513aabf92b8a59f0a86f64a16e97057c3c3
Now that rild can be killed in a reasonable amount of time, move it
from the core class to late_start. I was going to move it to main,
but it would get killed and restarted right after the disk crypto
password was entered, which is when the late_start class is started,
and I was seeing issues with rild not re-connecting to the network
when it was killed and restarted.
Change-Id: I60479ddb853953029890fc816538d615ef5a96ab
The net.eth0.gw system property is used by the ConnectivityService
to set the default route when it detects that 3G connectivity is
established. Because the property was undefined, the route was
unset which broke networking.
+ Format / document init.goldfish.sh
Change-Id: I1133cf6c093609300315cd0ea363c9e139b42521
This fixes the goldfish-specific config scripts used by init and ueventd
to properly setup the system under emulation. This fixes a lot of broken-ess
introduced by recent permission changes in the system.
Note that there are still several problems after this patch is applied, but
at least it becomes possible to get an adb connection to the emulated system,
Change-Id: Iff47bbf0fe5cb759fa93089284bb0f71e32405a2
Changes in init.stingray.rc now prevent rild from making sockets
or named pipes on /data. Now that rild no longer prevents /data
from being unmounted, we can put it in the core class, which doesn't
restart when we enable encryption. This speeds up the boot by 20+
seconds.
Change-Id: I737baf804e089f4ddbd664eaa1e675a7bd62e699
Changes in init.stingray.rc now prevent rild from making sockets
or named pipes on /data. Now that rild no longer prevents /data
from being unmounted, we can put it in the core class, which doesn't
restart when we enable encryption. This speeds up the boot by 20+
seconds.
Change-Id: I71c426dab1b725e401116234167d41c7ccd958c1
Since the "usb" group and ACCESS_USB permission will be used by regular apps
to access USB devices in host mode, we need a separate permission for the
device side MTP driver.
Change-Id: Ibb546b8726d61e041fc7c273f71929624ad1575b
Signed-off-by: Mike Lockwood <lockwood@android.com>
This is a dependency for the DNS proxy CLs.
This CL also adds a new socket for the netd process to inherit which
is owned by the inet group. (so only apps with the INTERNET
permission can use the DNS proxy...)
Change-Id: I8a51924e0ed56c6066f77e6f1b02d39bdadac51e
This fixes the goldfish-specific config scripts used by init and ueventd
to properly setup the system under emulation. This fixes a lot of broken-ess
introduced by recent permission changes in the system.
Note that there are still several problems after this patch is applied, but
at least it becomes possible to get an adb connection to the emulated system,
Change-Id: I1e8f5828b4d5cbb3a4338878df875dc718276b38
These are the changes to init and init.rc necessary to
support booting with and encrypted /data filesystem.
A corresponding change to init.<device>.rc goes along
with this change.
Change-Id: I0c7e2cc39568358014a82e317735c0eae14dd683
Ensure that we drop privileges for servicemanager
and drmioserver. These should not be running with
gid=0.
Bug: 3275526
Testing: Applied change and successfully rebooted
the device. No obvious bugs.
Change-Id: I782fbda812cb88e0a365788b45b3b32894623177
This was an inefficient way of doing things and was
temporary. There are now direct calls to Bluez to add reserved
SDP records.
This improves connection time after turning on BT by 6-8 secs.
Change-Id: I8750f44e1de73c9cc935d68710b8964e3f50c3a6
This is a dependency for the DNS proxy CLs.
This CL also adds a new socket for the netd process to inherit which
is owned by the inet group. (so only apps with the INTERNET
permission can use the DNS proxy...)
Change-Id: Ic3475c697913ba85805b4e49801b65e7a1d59289
Merge commit '33357f5477a24cb16bd3dd692fe5ca14755ab033'
* commit '33357f5477a24cb16bd3dd692fe5ca14755ab033':
Make netd restart when system server hangs on it.
Merge commit '6490257d116c35d3da927ee7b91179dde64ef713' into gingerbread-plus-aosp
* commit '6490257d116c35d3da927ee7b91179dde64ef713':
Make netd restart when system server hangs on it.
netd has been seen hanging (cause suspected but unconfirmed)
which then brings down the system server which blocks forever
on its main thread trying to connect to netd with its hung
event loop.
This then results in an infinite watchdog runtime restart loop
because the situation never improves: netd is still borked.
Instead, we should kill netd and give it another chance when
the system server dies.
Bug: 3018996
Bug: 3017876
Change-Id: Ibf9ecf0ffcb78e48c38e5167f21cbeefe0e2a47f
- look in /vendor/firmware/... in addition to /system/etc/firmware/... for firmware loading
- add /vendor/bin to path before /system/bin
- add /vendor/lib to ldpath before /system/lib
- configure appropriate permissions for /system/vendor/bin
- symlink /vendor -> /system/vendor
Change-Id: I0c06ca1e38a44f0c7024cee6cea8907aa93a4532
Merge commit '8df3a4a554184afba71887995c5f0983ce81196f'
* commit '8df3a4a554184afba71887995c5f0983ce81196f':
remount / as read-only only on post-fs to allow per-target config of /
Merge commit '4012c0a46ab2ebdf6a1298bc4e85ed3368d1b8a4' into gingerbread-plus-aosp
* commit '4012c0a46ab2ebdf6a1298bc4e85ed3368d1b8a4':
remount / as read-only only on post-fs to allow per-target config of /
Merge commit 'f2af88e81af5efb2d585963507f798d5a8b93d67' into gingerbread-plus-aosp
* commit 'f2af88e81af5efb2d585963507f798d5a8b93d67':
Tracking merge of dalvik-dev to gingerbread
