diff options
Diffstat (limited to 'rootdir')
| -rw-r--r-- | rootdir/etc/init.goldfish.rc | 2 | ||||
| -rw-r--r-- | rootdir/init.rc | 59 | ||||
| -rw-r--r-- | rootdir/init.trace.rc | 2 | ||||
| -rw-r--r-- | rootdir/init.usb.rc | 1 | ||||
| -rw-r--r-- | rootdir/ueventd.rc | 3 |
5 files changed, 44 insertions, 23 deletions
diff --git a/rootdir/etc/init.goldfish.rc b/rootdir/etc/init.goldfish.rc index cde9dee..a0c1c4f 100644 --- a/rootdir/etc/init.goldfish.rc +++ b/rootdir/etc/init.goldfish.rc @@ -5,7 +5,7 @@ on early-init symlink /mnt/sdcard /sdcard on boot - setsebool in_qemu=1 + setsebool in_qemu 1 restorecon /sys/qemu_trace/process_name restorecon /sys/qemu_trace/state restorecon /sys/qemu_trace/symbol diff --git a/rootdir/init.rc b/rootdir/init.rc index fb52486..0784c63 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -4,8 +4,8 @@ # This is a common source of Android security bugs. # -import /init.${ro.hardware}.rc import /init.usb.rc +import /init.${ro.hardware}.rc import /init.trace.rc on early-init @@ -34,6 +34,7 @@ loglevel 3 export ANDROID_ROOT /system export ANDROID_ASSETS /system/app export ANDROID_DATA /data + export ANDROID_STORAGE /storage export ASEC_MOUNTPOINT /mnt/asec export LOOP_MOUNTPOINT /mnt/obb export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar @@ -56,8 +57,14 @@ loglevel 3 mkdir /cache 0770 system cache mkdir /config 0500 root root + # See storage config details at http://source.android.com/tech/storage/ + mkdir /mnt/shell 0700 shell shell + mkdir /storage 0050 root sdcard_r + # Directory for putting things only root should see. mkdir /mnt/secure 0700 root root + # Create private mountpoint so we can MS_MOVE from staging + mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 # Directory for staging bindmounts mkdir /mnt/secure/staging 0700 root root @@ -85,6 +92,7 @@ loglevel 3 write /proc/sys/kernel/kptr_restrict 2 write /proc/sys/kernel/dmesg_restrict 1 write /proc/sys/vm/mmap_min_addr 32768 + write /proc/sys/net/ipv4/ping_group_range "0 2147483647" write /proc/sys/kernel/sched_rt_runtime_us 950000 write /proc/sys/kernel/sched_rt_period_us 1000000 @@ -113,6 +121,12 @@ loglevel 3 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 +# qtaguid will limit access to specific data based on group memberships. +# net_bw_acct grants impersonation of socket owners. +# net_bw_stats grants access to other apps' detailed tagged-socket stats. + chown root net_bw_acct /proc/net/xt_qtaguid/ctrl + chown root net_bw_stats /proc/net/xt_qtaguid/stats + # Allow everybody to read the xt_qtaguid resource tracking misc dev. # This is needed by any process that uses socket tagging. chmod 0644 /dev/xt_qtaguid @@ -128,6 +142,9 @@ on fs on post-fs # once everything is setup, no need to modify / mount rootfs rootfs / ro remount + # mount shared so changes propagate into child namespaces + mount rootfs rootfs / shared rec + mount tmpfs tmpfs /mnt/secure private rec # We chown/chmod /cache again so because mount is run as root + defaults chown system cache /cache @@ -145,11 +162,16 @@ on post-fs chown root log /proc/vmallocinfo chmod 0440 /proc/vmallocinfo + chown root log /proc/slabinfo + chmod 0440 /proc/slabinfo + #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks chown root system /proc/kmsg chmod 0440 /proc/kmsg chown root system /proc/sysrq-trigger chmod 0220 /proc/sysrq-trigger + chown system log /proc/last_kmsg + chmod 0440 /proc/last_kmsg # create the lost+found directories, so as to enforce our permissions mkdir /cache/lost+found 0770 root root @@ -179,10 +201,13 @@ on post-fs-data # create basic filesystem structure mkdir /data/misc 01771 system misc - mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth + mkdir /data/misc/adb 02750 system shell + mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack mkdir /data/misc/bluetooth 0770 system system mkdir /data/misc/keystore 0700 keystore keystore mkdir /data/misc/keychain 0771 system system + mkdir /data/misc/sms 0770 system radio + mkdir /data/misc/zoneinfo 0775 system system mkdir /data/misc/vpn 0770 system vpn mkdir /data/misc/systemkeys 0700 system system # give system access to wpa_supplicant.conf for backup and restore @@ -196,6 +221,7 @@ on post-fs-data mkdir /data/data 0771 system system mkdir /data/app-private 0771 system system mkdir /data/app-asec 0700 root root + mkdir /data/app-lib 0771 system system mkdir /data/app 0771 system system mkdir /data/property 0700 root root mkdir /data/ssh 0750 root shell @@ -216,6 +242,9 @@ on post-fs-data # the following directory. mkdir /data/drm 0770 drm drm + # Separate location for storing security policy files on data + mkdir /data/security 0700 system system + # If there is no fs-post-data action in the init.<device>.rc file, you # must uncomment this line, otherwise encrypted filesystems # won't work. @@ -251,6 +280,7 @@ on boot chown radio system /sys/android_power/acquire_full_wake_lock chown radio system /sys/android_power/acquire_partial_wake_lock chown radio system /sys/android_power/release_wake_lock + chown system system /sys/power/autosleep chown system system /sys/power/state chown system system /sys/power/wakeup_count chown radio system /sys/power/wake_lock @@ -274,6 +304,8 @@ on boot chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost + chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration # Assume SMP uses shared cpufreq policy for all CPUs chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq @@ -376,6 +408,7 @@ on property:ro.debuggable=1 # adbd is controlled via property triggers in init.<platform>.usb.rc service adbd /sbin/adbd class core + socket adbd stream 660 system system disabled seclabel u:r:adbd:s0 @@ -412,12 +445,12 @@ service ril-daemon /system/bin/rild socket rild stream 660 root radio socket rild-debug stream 660 radio system user root - group radio cache inet misc audio sdcard_rw log + group radio cache inet misc audio log service surfaceflinger /system/bin/surfaceflinger class main user system - group graphics + group graphics drmrpc onrestart restart zygote service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server @@ -431,7 +464,7 @@ service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-sys service drm /system/bin/drmserver class main user drm - group drm system inet drmrpc sdcard_r + group drm system inet drmrpc service media /system/bin/mediaserver class main @@ -446,21 +479,6 @@ service bootanim /system/bin/bootanimation disabled oneshot -service dbus /system/bin/dbus-daemon --system --nofork - class main - socket dbus stream 660 bluetooth bluetooth - user bluetooth - group bluetooth net_bt_admin - -service bluetoothd /system/bin/bluetoothd -n - class main - socket bluetooth stream 660 bluetooth bluetooth - socket dbus_bluetooth stream 660 bluetooth bluetooth - # init.rc does not yet support applying capabilities, so run as root and - # let bluetoothd drop uid to bluetooth with the right linux capabilities - group bluetooth net_bt_admin misc - disabled - service installd /system/bin/installd class main socket installd stream 600 system system @@ -489,7 +507,6 @@ service keystore /system/bin/keystore /data/misc/keystore class main user keystore group keystore drmrpc - socket keystore stream 666 service dumpstate /system/bin/dumpstate -s class main diff --git a/rootdir/init.trace.rc b/rootdir/init.trace.rc index 1d114f5..8a05fd0 100644 --- a/rootdir/init.trace.rc +++ b/rootdir/init.trace.rc @@ -13,6 +13,7 @@ on boot chown root shell /sys/kernel/debug/tracing/events/sched/sched_wakeup/enable chown root shell /sys/kernel/debug/tracing/events/power/cpu_frequency/enable chown root shell /sys/kernel/debug/tracing/events/power/cpu_idle/enable + chown root shell /sys/kernel/debug/tracing/events/power/clock_set_rate/enable chown root shell /sys/kernel/debug/tracing/events/cpufreq_interactive/enable chown root shell /sys/kernel/debug/tracing/tracing_on @@ -23,6 +24,7 @@ on boot chmod 0664 /sys/kernel/debug/tracing/events/sched/sched_wakeup/enable chmod 0664 /sys/kernel/debug/tracing/events/power/cpu_frequency/enable chmod 0664 /sys/kernel/debug/tracing/events/power/cpu_idle/enable + chmod 0664 /sys/kernel/debug/tracing/events/power/clock_set_rate/enable chmod 0664 /sys/kernel/debug/tracing/events/cpufreq_interactive/enable chmod 0664 /sys/kernel/debug/tracing/tracing_on diff --git a/rootdir/init.usb.rc b/rootdir/init.usb.rc index 15467cc..f37b630 100644 --- a/rootdir/init.usb.rc +++ b/rootdir/init.usb.rc @@ -88,4 +88,5 @@ on property:sys.usb.config=accessory,audio_source,adb # Used to set USB configuration at boot and to switch the configuration # when changing the default configuration on property:persist.sys.usb.config=* + setprop sys.usb.config none setprop sys.usb.config ${persist.sys.usb.config} diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc index c1fca00..2cf0265 100644 --- a/rootdir/ueventd.rc +++ b/rootdir/ueventd.rc @@ -27,7 +27,8 @@ /dev/android_adb 0660 adb adb /dev/android_adb_enable 0660 adb adb /dev/ttyMSM0 0600 bluetooth bluetooth -/dev/uinput 0660 system bluetooth +/dev/uhid 0660 system net_bt_stack +/dev/uinput 0660 system net_bt_stack /dev/alarm 0664 system radio /dev/tty0 0660 root system /dev/graphics/* 0660 root graphics |