DRM server process needs to be able to access movies on sdcard
to acquire rights.
related-to-bug: 6414503
Change-Id: If90404e32fd437b8fb7d5a6ec8dfb30a499ef733
Forward locked apps on internal storage will be stored in ASEC
containers using ext4. This way permissions can be preserved whether on
internal or external storage.
Change-Id: I942f8f0743c210330a11e2b1d0204df7a5ddb2ae
This change adds init.rc steps to allow kernel tracing to support inserting
messages from any userland process.
Change-Id: I01970728d7132a25408fed09a213a015ac05ccaf
With newer Android kernels, anyone can read from the files in
/dev/log. If you're in the logs group (have the READ_LOGS) permission,
you'll see all entries. If you're not in that group, you'll see
log messages associated with your UID.
Relax the permissions on the files in /dev/log/ to allow an application
to read it's own log messages.
Bug: 5748848
Change-Id: Ie740284e96a69567dc73d738117316f938491777
This is part of the multi-project commit to move the filter-framework
from system/media/mca to frameworks/base/media/mca.
Note that the filter-framework will soon be replaced with a refactored
version currently under API review (also to go under frameworks/base).
This move is done now to unblock the PDK efforts.
Change-Id: I87d034a30bb4b98a85a028cb728e37fb97256039
Make the drm server run as UID=drm, GID=drm. This ensures that
any files created by the drmserver app do not have GID=system.
Bug: 5834297
Change-Id: I3409ad350e9cc82bb0982cdbe470ec1f10b1ca67
Android developers should never place files in /data/local/tmp.
Files or directories in /data/local/tmp can be minipulated by the
shell user.
Android developers should never create world-writable files
or directories. This is a common source of security vulnerabilities.
Change-Id: I6d2cd620ab49d8ca3f39282f7d2ed682a9ba91c3
The keystore service needs to access hardware crypto devices to
fulfill its function on devices with hardware crypto. This role
was assigned to the (now misnamed) drmrpc group.
Change-Id: Ia32f9e96b4372f0974984451680f9a0f6157aa01
CVE-2011-3918: Address denial of service attack against Android's
zygote process. This change enforces that only UID=system can
directly connect to zygote to spawn processes.
Change-Id: I89f5f05fa44ba8582920b66854df3e79527ae067
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Set dmesg_restrict to 1 to help limit inadvertent information leaks
from the kernel to non-privileged programs. Root and programs with
CAP_SYSLOG will continue to have access to dmesg output.
See "dmesg_restrict" in Documentation/sysctl/kernel.txt from the
Linux kernel source code.
Bug: 5585365
Change-Id: Iffcf060ea4bd446ab9acf62b8b61d315d4ec4633
Otherwise, ueventd's oom_adj value would have been 0 and it could
easily get killed early during low memory events
Change-Id: I1adbd18c37215b26ae77e70f7b8dbd1e143fc2d4
Signed-off-by: Dima Zavin <dima@android.com>
To make writing kernel exploits harder, set /proc/sys/kernel/kptr_restrict
to "2". This prohibits users from accessing kernel symbols via /proc/kallsyms
Bug: 5555668
Change-Id: Ib31cb6fcb4d212a0b570ce9e73ae31f721ed801b
