diff --git a/fs_mgr/libsnapshot/snapuserd/snapuserd.rc b/fs_mgr/libsnapshot/snapuserd/snapuserd.rc index 522fe08ec7a2..31d29acc16d9 100644 --- a/fs_mgr/libsnapshot/snapuserd/snapuserd.rc +++ b/fs_mgr/libsnapshot/snapuserd/snapuserd.rc @@ -4,7 +4,7 @@ service snapuserd /system/bin/snapuserd disabled user root group root system - task_profiles OtaProfiles + task_profiles MaxIoPriority MaxPerformance ProcessCapacityMax seclabel u:r:snapuserd:s0 service snapuserd_proxy /system/bin/snapuserd -socket-handoff diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp index 107e99a31554..24f8220afd9a 100644 --- a/init/first_stage_init.cpp +++ b/init/first_stage_init.cpp @@ -243,9 +243,9 @@ int FirstStageMain(int argc, char** argv) { CHECKCALL(mkdir("/dev/pts", 0755)); CHECKCALL(mkdir("/dev/socket", 0755)); CHECKCALL(mkdir("/dev/dm-user", 0755)); - CHECKCALL(mount("devpts", "/dev/pts", "devpts", 0, NULL)); + CHECKCALL(mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL)); #define MAKE_STR(x) __STRING(x) - CHECKCALL(mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC))); + CHECKCALL(mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC))); #undef MAKE_STR // Don't expose the raw commandline to unprivileged processes. CHECKCALL(chmod("/proc/cmdline", 0440)); @@ -257,7 +257,7 @@ int FirstStageMain(int argc, char** argv) { android::base::ReadFileToString("/proc/bootconfig", &bootconfig); gid_t groups[] = {AID_READPROC}; CHECKCALL(setgroups(arraysize(groups), groups)); - CHECKCALL(mount("sysfs", "/sys", "sysfs", 0, NULL)); + CHECKCALL(mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL)); CHECKCALL(mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL)); CHECKCALL(mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11))); diff --git a/init/property_service.cpp b/init/property_service.cpp index 8da69822ccb9..7e2fedce1f17 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -1402,6 +1402,10 @@ static void HandleInitSocket() { // Read persistent properties after all default values have been loaded. auto persistent_properties = LoadPersistentProperties(); for (const auto& persistent_property_record : persistent_properties.properties()) { + if (persistent_property_record.name() == "persist.adb.tls_server.enable") { + continue; + } + InitPropertySet(persistent_property_record.name(), persistent_property_record.value()); } diff --git a/rootdir/init.rc b/rootdir/init.rc index 7da264611d94..e864ed7e7712 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -303,6 +303,14 @@ on init write /proc/sys/kernel/hung_task_timeout_secs 0 write /proc/cpu/alignment 4 + write /proc/sys/fs/protected_hardlinks 1 + write /proc/sys/fs/protected_symlinks 1 + + write /proc/sys/fs/protected_fifos 2 + write /proc/sys/fs/protected_regular 2 + + write /proc/sys/dev/tty/ldisc_autoload 0 + # scheduler tunables # Disable auto-scaling of scheduler tunables with hotplug. The tunables # will vary across devices in unpredictable ways if allowed to scale with @@ -1132,6 +1140,8 @@ on boot symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk + write /proc/sys/vm/max_map_count 1048576 + # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, # to avoid power consumption when system becomes mostly idle. Be careful # to make it too large, since it may bring userdata loss, if they @@ -1242,6 +1252,18 @@ on property:perf.drop_caches=3 on property:net.tcp_def_init_rwnd=* write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} +on property:persist.security.deny_new_usb=disabled + write /proc/sys/kernel/deny_new_usb 0 + +on property:persist.security.deny_new_usb=enabled + write /proc/sys/kernel/deny_new_usb 1 + +on property:persist.security.deny_new_usb=dynamic + write /proc/sys/kernel/deny_new_usb 1 + +on property:security.deny_new_usb=* + write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb} + # perf_event_open syscall security: # Newer kernels have the ability to control the use of the syscall via SELinux # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the diff --git a/rootdir/init.zygote32.rc b/rootdir/init.zygote32.rc index 2f0ec8a17d4c..edcb79804378 100644 --- a/rootdir/init.zygote32.rc +++ b/rootdir/init.zygote32.rc @@ -3,6 +3,7 @@ service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-sys priority -20 user root group root readproc reserved_disk + rlimit nofile 32768 262144 socket zygote stream 660 root system socket usap_pool_primary stream 660 root system onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse diff --git a/rootdir/init.zygote64.rc b/rootdir/init.zygote64.rc index 74a64c80f465..99f5f1cae18e 100644 --- a/rootdir/init.zygote64.rc +++ b/rootdir/init.zygote64.rc @@ -3,6 +3,7 @@ service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-s priority -20 user root group root readproc reserved_disk + rlimit nofile 32768 262144 socket zygote stream 660 root system socket usap_pool_primary stream 660 root system onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse diff --git a/rootdir/init.zygote64_32.rc b/rootdir/init.zygote64_32.rc index 109bf6c65cb2..0582905d130c 100644 --- a/rootdir/init.zygote64_32.rc +++ b/rootdir/init.zygote64_32.rc @@ -5,6 +5,7 @@ service zygote_secondary /system/bin/app_process32 -Xzygote /system/bin --zygote priority -20 user root group root readproc reserved_disk + rlimit nofile 32768 262144 socket zygote_secondary stream 660 root system socket usap_pool_secondary stream 660 root system onrestart restart zygote