diff options
author | Gilad Arnold <garnold@google.com> | 2015-09-01 17:04:49 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2015-09-01 17:04:49 +0000 |
commit | daecefc23b936e7655b4e0117f9bc994cba35882 (patch) | |
tree | 921a92007887e748ed8ae29ca1ed0889877df35e | |
parent | 5269f779baa900c1715d2f2610633858f7f44234 (diff) | |
parent | b470cc18ef58c7c6d7e99f80559a69f65f5167e3 (diff) | |
download | tlsdate-daecefc23b936e7655b4e0117f9bc994cba35882.tar.gz |
am b470cc18: Run as non-root; drop privileges to inet:inet.
* commit 'b470cc18ef58c7c6d7e99f80559a69f65f5167e3':
Run as non-root; drop privileges to inet:inet.
-rw-r--r-- | Android.mk | 19 | ||||
-rw-r--r-- | config.h | 6 | ||||
-rw-r--r-- | init/tlsdated.rc | 7 |
3 files changed, 21 insertions, 11 deletions
@@ -79,7 +79,7 @@ include $(BUILD_NATIVE_TEST) include $(CLEAR_VARS) LOCAL_MODULE := tlsdated -LOCAL_INIT_RC := init/tlsdated.rc +LOCAL_REQUIRED_MODULES := tlsdated.rc LOCAL_SRC_FILES := $(tlsdate_tlsdated_sources) LOCAL_CFLAGS := -DTLSDATED_MAIN LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs) @@ -95,3 +95,20 @@ LOCAL_SRC_FILES := \ LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs) $(eval $(tlsdate_common)) include $(BUILD_NATIVE_TEST) + + +ifdef INITRC_TEMPLATE +include $(CLEAR_VARS) +LOCAL_MODULE := tlsdated.rc +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_PATH := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_INITRCD) + +include $(BUILD_SYSTEM)/base_rules.mk + +.PHONY: $(LOCAL_BUILT_MODULE) +$(LOCAL_BUILT_MODULE): my_args := \ + -v -l -s -- /system/bin/tlsdate -v -C /system/etc/security/cacerts -l +$(LOCAL_BUILT_MODULE): my_groups := inet +$(LOCAL_BUILT_MODULE): $(INITRC_TEMPLATE) + $(call generate-initrc-file,tlsdated,$(my_args),$(my_groups)) +endif @@ -244,12 +244,12 @@ /* Vendor of Target System */ /* #undef TARGET_VENDOR */ -/* TODO Reserve proper unprivileged uid/gid for the helper. */ +/* TODO(b/23651876) Reserve proper unprivileged uid/gid for the helper. */ /* Unprivileged group */ -#define UNPRIV_GROUP "nobody" +#define UNPRIV_GROUP "inet" /* Unprivileged user */ -#define UNPRIV_USER "nobody" +#define UNPRIV_USER "inet" /* if PolarSSL is enabled */ /* #undef USE_POLARSSL */ diff --git a/init/tlsdated.rc b/init/tlsdated.rc deleted file mode 100644 index b91b329..0000000 --- a/init/tlsdated.rc +++ /dev/null @@ -1,7 +0,0 @@ -# Init file for starting tlsdated on Android. -service tlsdated /system/bin/tlsdated -v -l -s -- /system/bin/tlsdate -v -C /system/etc/security/cacerts -l - class main - # TODO(b/23601841) Use a lesser uid once CAP_SYS_TIME is enabled. - user root - group system dbus inet - seclabel u:r:brillo:s0 |