am b470cc18: Run as non-root; drop privileges to inet:inet.

* commit 'b470cc18ef58c7c6d7e99f80559a69f65f5167e3': Run as non-root; drop privileges to inet:inet.
author: Gilad Arnold <garnold@google.com> 2015-09-01 17:04:49 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2015-09-01 17:04:49 +0000
commit: daecefc23b936e7655b4e0117f9bc994cba35882 (patch)
tree: 921a92007887e748ed8ae29ca1ed0889877df35e
parent: 5269f779baa900c1715d2f2610633858f7f44234 (diff)
parent: b470cc18ef58c7c6d7e99f80559a69f65f5167e3 (diff)
download: tlsdate-daecefc23b936e7655b4e0117f9bc994cba35882.tar.gz
3 files changed, 21 insertions, 11 deletions
diff --git a/Android.mk b/Android.mk
index 486f0e2..2404ef4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -79,7 +79,7 @@ include $(BUILD_NATIVE_TEST)
 
 include $(CLEAR_VARS)
 LOCAL_MODULE := tlsdated
-LOCAL_INIT_RC := init/tlsdated.rc
+LOCAL_REQUIRED_MODULES := tlsdated.rc
 LOCAL_SRC_FILES := $(tlsdate_tlsdated_sources)
 LOCAL_CFLAGS := -DTLSDATED_MAIN
 LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs)
@@ -95,3 +95,20 @@ LOCAL_SRC_FILES := \
 LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs)
 $(eval $(tlsdate_common))
 include $(BUILD_NATIVE_TEST)
+
+
+ifdef INITRC_TEMPLATE
+include $(CLEAR_VARS)
+LOCAL_MODULE := tlsdated.rc
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_INITRCD)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+.PHONY: $(LOCAL_BUILT_MODULE)
+$(LOCAL_BUILT_MODULE): my_args := \
+  -v -l -s -- /system/bin/tlsdate -v -C /system/etc/security/cacerts -l
+$(LOCAL_BUILT_MODULE): my_groups := inet
+$(LOCAL_BUILT_MODULE): $(INITRC_TEMPLATE)
+	$(call generate-initrc-file,tlsdated,$(my_args),$(my_groups))
+endif
diff --git a/config.h b/config.h
index dc2838c..edb70d0 100644
--- a/config.h
+++ b/config.h
@@ -244,12 +244,12 @@
 /* Vendor of Target System */
 /* #undef TARGET_VENDOR */
 
-/* TODO Reserve proper unprivileged uid/gid for the helper. */
+/* TODO(b/23651876) Reserve proper unprivileged uid/gid for the helper. */
 /* Unprivileged group */
-#define UNPRIV_GROUP "nobody"
+#define UNPRIV_GROUP "inet"
 
 /* Unprivileged user */
-#define UNPRIV_USER "nobody"
+#define UNPRIV_USER "inet"
 
 /* if PolarSSL is enabled */
 /* #undef USE_POLARSSL */
diff --git a/init/tlsdated.rc b/init/tlsdated.rc
deleted file mode 100644
index b91b329..0000000
--- a/init/tlsdated.rc
+++ /dev/null
@@ -1,7 +0,0 @@
-# Init file for starting tlsdated on Android.
-service tlsdated /system/bin/tlsdated -v -l -s -- /system/bin/tlsdate -v -C /system/etc/security/cacerts -l
-    class main
-    # TODO(b/23601841) Use a lesser uid once CAP_SYS_TIME is enabled.
-    user root
-    group system dbus inet
-    seclabel u:r:brillo:s0
author	Gilad Arnold <garnold@google.com>	2015-09-01 17:04:49 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2015-09-01 17:04:49 +0000
commit	daecefc23b936e7655b4e0117f9bc994cba35882 (patch)
tree	921a92007887e748ed8ae29ca1ed0889877df35e
parent	5269f779baa900c1715d2f2610633858f7f44234 (diff)
parent	b470cc18ef58c7c6d7e99f80559a69f65f5167e3 (diff)
download	tlsdate-daecefc23b936e7655b4e0117f9bc994cba35882.tar.gz