From d31e8009c8303f7b56779dac996f4f6ff3c6f4bc Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 13 Dec 2018 09:26:25 -0500 Subject: [PATCH 1/9] increase max_map_count for hardened malloc Signed-off-by: anupritaisno1 --- rootdir/init.rc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rootdir/init.rc b/rootdir/init.rc index 7da264611d94..1709ffef237f 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -1132,6 +1132,8 @@ on boot symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk + write /proc/sys/vm/max_map_count 1048576 + # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, # to avoid power consumption when system becomes mostly idle. Be careful # to make it too large, since it may bring userdata loss, if they From 76973b97204f67a99cf54c2defefa15b18456d75 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 6 Feb 2015 11:46:34 -0500 Subject: [PATCH 2/9] tighten up mount permissions Signed-off-by: anupritaisno1 --- init/first_stage_init.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp index 107e99a31554..24f8220afd9a 100644 --- a/init/first_stage_init.cpp +++ b/init/first_stage_init.cpp @@ -243,9 +243,9 @@ int FirstStageMain(int argc, char** argv) { CHECKCALL(mkdir("/dev/pts", 0755)); CHECKCALL(mkdir("/dev/socket", 0755)); CHECKCALL(mkdir("/dev/dm-user", 0755)); - CHECKCALL(mount("devpts", "/dev/pts", "devpts", 0, NULL)); + CHECKCALL(mount("devpts", "/dev/pts", "devpts", MS_NOSUID|MS_NOEXEC, NULL)); #define MAKE_STR(x) __STRING(x) - CHECKCALL(mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC))); + CHECKCALL(mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, "hidepid=2,gid=" MAKE_STR(AID_READPROC))); #undef MAKE_STR // Don't expose the raw commandline to unprivileged processes. CHECKCALL(chmod("/proc/cmdline", 0440)); @@ -257,7 +257,7 @@ int FirstStageMain(int argc, char** argv) { android::base::ReadFileToString("/proc/bootconfig", &bootconfig); gid_t groups[] = {AID_READPROC}; CHECKCALL(setgroups(arraysize(groups), groups)); - CHECKCALL(mount("sysfs", "/sys", "sysfs", 0, NULL)); + CHECKCALL(mount("sysfs", "/sys", "sysfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL)); CHECKCALL(mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL)); CHECKCALL(mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11))); From c02999045c24a12698e055f13fa85a6e60149481 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 15 Jun 2016 17:51:42 -0400 Subject: [PATCH 3/9] add properties for controlling deny_new_usb Signed-off-by: anupritaisno1 --- rootdir/init.rc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rootdir/init.rc b/rootdir/init.rc index 1709ffef237f..0e37dac04381 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -1244,6 +1244,18 @@ on property:perf.drop_caches=3 on property:net.tcp_def_init_rwnd=* write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} +on property:persist.security.deny_new_usb=disabled + write /proc/sys/kernel/deny_new_usb 0 + +on property:persist.security.deny_new_usb=enabled + write /proc/sys/kernel/deny_new_usb 1 + +on property:persist.security.deny_new_usb=dynamic + write /proc/sys/kernel/deny_new_usb 1 + +on property:security.deny_new_usb=* + write /proc/sys/kernel/deny_new_usb ${security.deny_new_usb} + # perf_event_open syscall security: # Newer kernels have the ability to control the use of the syscall via SELinux # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the From cfd53436181b64f9e08d92de25b35cfbf5f23774 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 16 Jul 2019 14:49:29 -0400 Subject: [PATCH 4/9] enable kernel mitigations for link races Signed-off-by: anupritaisno1 --- rootdir/init.rc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rootdir/init.rc b/rootdir/init.rc index 0e37dac04381..0863971c5151 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -303,6 +303,9 @@ on init write /proc/sys/kernel/hung_task_timeout_secs 0 write /proc/cpu/alignment 4 + write /proc/sys/fs/protected_hardlinks 1 + write /proc/sys/fs/protected_symlinks 1 + # scheduler tunables # Disable auto-scaling of scheduler tunables with hotplug. The tunables # will vary across devices in unpredictable ways if allowed to scale with From 9ac2897571ac0883eaa974f0be702eb135a161b5 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 16 Jul 2019 14:54:28 -0400 Subject: [PATCH 5/9] enable kernel mitigations for file spoofing Signed-off-by: anupritaisno1 --- rootdir/init.rc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rootdir/init.rc b/rootdir/init.rc index 0863971c5151..1a1bfbe58949 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -306,6 +306,9 @@ on init write /proc/sys/fs/protected_hardlinks 1 write /proc/sys/fs/protected_symlinks 1 + write /proc/sys/fs/protected_fifos 2 + write /proc/sys/fs/protected_regular 2 + # scheduler tunables # Disable auto-scaling of scheduler tunables with hotplug. The tunables # will vary across devices in unpredictable ways if allowed to scale with From a2e6976eb942784e0624527cc0e020dc3a3d3db3 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 25 Oct 2022 17:34:01 -0400 Subject: [PATCH 6/9] disable ldisc_autoload --- rootdir/init.rc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rootdir/init.rc b/rootdir/init.rc index 1a1bfbe58949..e864ed7e7712 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -309,6 +309,8 @@ on init write /proc/sys/fs/protected_fifos 2 write /proc/sys/fs/protected_regular 2 + write /proc/sys/dev/tty/ldisc_autoload 0 + # scheduler tunables # Disable auto-scaling of scheduler tunables with hotplug. The tunables # will vary across devices in unpredictable ways if allowed to scale with From 69ae2027d0ac1775459b5d54cc19ce40ad3675b4 Mon Sep 17 00:00:00 2001 From: Dmitry Muhomor Date: Tue, 12 Dec 2023 18:08:55 +0200 Subject: [PATCH 7/9] raise max RLIMIT_NOFILE for zygote from 32K to 256K --- rootdir/init.zygote32.rc | 1 + rootdir/init.zygote64.rc | 1 + rootdir/init.zygote64_32.rc | 1 + 3 files changed, 3 insertions(+) diff --git a/rootdir/init.zygote32.rc b/rootdir/init.zygote32.rc index 2f0ec8a17d4c..edcb79804378 100644 --- a/rootdir/init.zygote32.rc +++ b/rootdir/init.zygote32.rc @@ -3,6 +3,7 @@ service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-sys priority -20 user root group root readproc reserved_disk + rlimit nofile 32768 262144 socket zygote stream 660 root system socket usap_pool_primary stream 660 root system onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse diff --git a/rootdir/init.zygote64.rc b/rootdir/init.zygote64.rc index 74a64c80f465..99f5f1cae18e 100644 --- a/rootdir/init.zygote64.rc +++ b/rootdir/init.zygote64.rc @@ -3,6 +3,7 @@ service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-s priority -20 user root group root readproc reserved_disk + rlimit nofile 32768 262144 socket zygote stream 660 root system socket usap_pool_primary stream 660 root system onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse diff --git a/rootdir/init.zygote64_32.rc b/rootdir/init.zygote64_32.rc index 109bf6c65cb2..0582905d130c 100644 --- a/rootdir/init.zygote64_32.rc +++ b/rootdir/init.zygote64_32.rc @@ -5,6 +5,7 @@ service zygote_secondary /system/bin/app_process32 -Xzygote /system/bin --zygote priority -20 user root group root readproc reserved_disk + rlimit nofile 32768 262144 socket zygote_secondary stream 660 root system socket usap_pool_secondary stream 660 root system onrestart restart zygote From 69e57ec7e0726557662795422c62e1b9034b8e61 Mon Sep 17 00:00:00 2001 From: Dmitry Muhomor Date: Sun, 3 Dec 2023 17:36:48 +0200 Subject: [PATCH 8/9] make persist.adb.tls_server.enable system property non-persistent persist.adb.tls_server.enable sysprop enables persistent network ADB, which severely weakens verified boot. Network ADB is disabled after each reboot by the system_server, but in a fragile way, see frameworks/base/services/core/java/com/android/server/adb/AdbService.java It's not clear whether this system_server behavior is intentional. --- init/property_service.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/init/property_service.cpp b/init/property_service.cpp index 8da69822ccb9..7e2fedce1f17 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -1402,6 +1402,10 @@ static void HandleInitSocket() { // Read persistent properties after all default values have been loaded. auto persistent_properties = LoadPersistentProperties(); for (const auto& persistent_property_record : persistent_properties.properties()) { + if (persistent_property_record.name() == "persist.adb.tls_server.enable") { + continue; + } + InitPropertySet(persistent_property_record.name(), persistent_property_record.value()); } From d9f5783c61fa4a50ef8d0ada230cca1ad2f2a61e Mon Sep 17 00:00:00 2001 From: Dmitry Muhomor Date: Thu, 4 Jan 2024 12:01:23 +0200 Subject: [PATCH 9/9] use max priority for snapuserd process --- fs_mgr/libsnapshot/snapuserd/snapuserd.rc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs_mgr/libsnapshot/snapuserd/snapuserd.rc b/fs_mgr/libsnapshot/snapuserd/snapuserd.rc index 522fe08ec7a2..31d29acc16d9 100644 --- a/fs_mgr/libsnapshot/snapuserd/snapuserd.rc +++ b/fs_mgr/libsnapshot/snapuserd/snapuserd.rc @@ -4,7 +4,7 @@ service snapuserd /system/bin/snapuserd disabled user root group root system - task_profiles OtaProfiles + task_profiles MaxIoPriority MaxPerformance ProcessCapacityMax seclabel u:r:snapuserd:s0 service snapuserd_proxy /system/bin/snapuserd -socket-handoff