a31a351182
frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: I768ca8e8e990ff333ce0f7069a0935173498c5ed
469 lines
15 KiB
Text
469 lines
15 KiB
Text
on early-init
|
|
start ueventd
|
|
|
|
# create mountpoints
|
|
mkdir /mnt 0775 root system
|
|
|
|
on init
|
|
|
|
sysclktz 0
|
|
|
|
loglevel 3
|
|
|
|
# setup the global environment
|
|
export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin
|
|
export LD_LIBRARY_PATH /vendor/lib:/system/lib
|
|
export ANDROID_BOOTLOGO 1
|
|
export ANDROID_ROOT /system
|
|
export ANDROID_ASSETS /system/app
|
|
export ANDROID_DATA /data
|
|
export ASEC_MOUNTPOINT /mnt/asec
|
|
export LOOP_MOUNTPOINT /mnt/obb
|
|
export BOOTCLASSPATH /system/framework/core.jar:/system/framework/apache-xml.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/core-junit.jar
|
|
|
|
# Backward compatibility
|
|
symlink /system/etc /etc
|
|
symlink /sys/kernel/debug /d
|
|
|
|
# Right now vendor lives on the same filesystem as system,
|
|
# but someday that may change.
|
|
symlink /system/vendor /vendor
|
|
|
|
# Create cgroup mount point for cpu accounting
|
|
mkdir /acct
|
|
mount cgroup none /acct cpuacct
|
|
mkdir /acct/uid
|
|
|
|
mkdir /system
|
|
mkdir /data 0771 system system
|
|
mkdir /cache 0770 system cache
|
|
mkdir /config 0500 root root
|
|
|
|
# Directory for putting things only root should see.
|
|
mkdir /mnt/secure 0700 root root
|
|
|
|
# Directory for staging bindmounts
|
|
mkdir /mnt/secure/staging 0700 root root
|
|
|
|
# Directory-target for where the secure container
|
|
# imagefile directory will be bind-mounted
|
|
mkdir /mnt/secure/asec 0700 root root
|
|
|
|
# Secure container public mount points.
|
|
mkdir /mnt/asec 0700 root system
|
|
mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
|
|
|
|
# Filesystem image public mount points.
|
|
mkdir /mnt/obb 0700 root system
|
|
mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
|
|
|
|
write /proc/sys/kernel/panic_on_oops 1
|
|
write /proc/sys/kernel/hung_task_timeout_secs 0
|
|
write /proc/cpu/alignment 4
|
|
write /proc/sys/kernel/sched_latency_ns 10000000
|
|
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
|
|
write /proc/sys/kernel/sched_compat_yield 1
|
|
write /proc/sys/kernel/sched_child_runs_first 0
|
|
|
|
# Create cgroup mount points for process groups
|
|
mkdir /dev/cpuctl
|
|
mount cgroup none /dev/cpuctl cpu
|
|
chown system system /dev/cpuctl
|
|
chown system system /dev/cpuctl/tasks
|
|
chmod 0777 /dev/cpuctl/tasks
|
|
write /dev/cpuctl/cpu.shares 1024
|
|
|
|
mkdir /dev/cpuctl/fg_boost
|
|
chown system system /dev/cpuctl/fg_boost/tasks
|
|
chmod 0777 /dev/cpuctl/fg_boost/tasks
|
|
write /dev/cpuctl/fg_boost/cpu.shares 1024
|
|
|
|
mkdir /dev/cpuctl/bg_non_interactive
|
|
chown system system /dev/cpuctl/bg_non_interactive/tasks
|
|
chmod 0777 /dev/cpuctl/bg_non_interactive/tasks
|
|
# 5.0 %
|
|
write /dev/cpuctl/bg_non_interactive/cpu.shares 52
|
|
|
|
on fs
|
|
# mount mtd partitions
|
|
# Mount /system rw first to give the filesystem a chance to save a checkpoint
|
|
mount yaffs2 mtd@system /system
|
|
mount yaffs2 mtd@system /system ro remount
|
|
mount yaffs2 mtd@userdata /data nosuid nodev
|
|
mount yaffs2 mtd@cache /cache nosuid nodev
|
|
|
|
on post-fs
|
|
# once everything is setup, no need to modify /
|
|
mount rootfs rootfs / ro remount
|
|
|
|
# We chown/chmod /cache again so because mount is run as root + defaults
|
|
chown system cache /cache
|
|
chmod 0770 /cache
|
|
|
|
# This may have been created by the recovery system with odd permissions
|
|
chown system cache /cache/recovery
|
|
chmod 0770 /cache/recovery
|
|
|
|
#change permissions on vmallocinfo so we can grab it from bugreports
|
|
chown root log /proc/vmallocinfo
|
|
chmod 0440 /proc/vmallocinfo
|
|
|
|
#change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
|
|
chown root system /proc/kmsg
|
|
chmod 0440 /proc/kmsg
|
|
chown root system /proc/sysrq-trigger
|
|
chmod 0220 /proc/sysrq-trigger
|
|
|
|
# create the lost+found directories, so as to enforce our permissions
|
|
mkdir /cache/lost+found 0770
|
|
|
|
# double check the perms, in case lost+found already exists, and set owner
|
|
chown root root /cache/lost+found
|
|
chmod 0770 /cache/lost+found
|
|
|
|
on post-fs-data
|
|
# We chown/chmod /data again so because mount is run as root + defaults
|
|
chown system system /data
|
|
chmod 0771 /data
|
|
|
|
# Create dump dir and collect dumps.
|
|
# Do this before we mount cache so eventually we can use cache for
|
|
# storing dumps on platforms which do not have a dedicated dump partition.
|
|
|
|
mkdir /data/dontpanic
|
|
chown root log /data/dontpanic
|
|
chmod 0750 /data/dontpanic
|
|
|
|
# Collect apanic data, free resources and re-arm trigger
|
|
copy /proc/apanic_console /data/dontpanic/apanic_console
|
|
chown root log /data/dontpanic/apanic_console
|
|
chmod 0640 /data/dontpanic/apanic_console
|
|
|
|
copy /proc/apanic_threads /data/dontpanic/apanic_threads
|
|
chown root log /data/dontpanic/apanic_threads
|
|
chmod 0640 /data/dontpanic/apanic_threads
|
|
|
|
write /proc/apanic_console 1
|
|
|
|
# create basic filesystem structure
|
|
mkdir /data/misc 01771 system misc
|
|
mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth
|
|
mkdir /data/misc/bluetooth 0770 system system
|
|
mkdir /data/misc/keystore 0700 keystore keystore
|
|
mkdir /data/misc/keychain 0771 keychain keychain
|
|
mkdir /data/misc/vpn 0770 system system
|
|
mkdir /data/misc/systemkeys 0700 system system
|
|
mkdir /data/misc/vpn/profiles 0770 system system
|
|
# give system access to wpa_supplicant.conf for backup and restore
|
|
mkdir /data/misc/wifi 0770 wifi wifi
|
|
chmod 0770 /data/misc/wifi
|
|
chmod 0660 /data/misc/wifi/wpa_supplicant.conf
|
|
mkdir /data/local 0771 shell shell
|
|
mkdir /data/local/tmp 0771 shell shell
|
|
mkdir /data/data 0771 system system
|
|
mkdir /data/app-private 0771 system system
|
|
mkdir /data/app 0771 system system
|
|
mkdir /data/property 0700 root root
|
|
|
|
# create dalvik-cache and double-check the perms
|
|
mkdir /data/dalvik-cache 0771 system system
|
|
chown system system /data/dalvik-cache
|
|
chmod 0771 /data/dalvik-cache
|
|
|
|
# create the lost+found directories, so as to enforce our permissions
|
|
mkdir /data/lost+found 0770
|
|
|
|
# double check the perms, in case lost+found already exists, and set owner
|
|
chown root root /data/lost+found
|
|
chmod 0770 /data/lost+found
|
|
|
|
# create directory for DRM plug-ins
|
|
mkdir /data/drm 0774 drm drm
|
|
|
|
# If there is no fs-post-data action in the init.<device>.rc file, you
|
|
# must uncomment this line, otherwise encrypted filesystems
|
|
# won't work.
|
|
# Set indication (checked by vold) that we have finished this action
|
|
#setprop vold.post_fs_data_done 1
|
|
|
|
on boot
|
|
# basic network init
|
|
ifup lo
|
|
hostname localhost
|
|
domainname localdomain
|
|
|
|
# set RLIMIT_NICE to allow priorities from 19 to -20
|
|
setrlimit 13 40 40
|
|
|
|
# Define the oom_adj values for the classes of processes that can be
|
|
# killed by the kernel. These are used in ActivityManagerService.
|
|
setprop ro.FOREGROUND_APP_ADJ 0
|
|
setprop ro.VISIBLE_APP_ADJ 1
|
|
setprop ro.PERCEPTIBLE_APP_ADJ 2
|
|
setprop ro.HEAVY_WEIGHT_APP_ADJ 3
|
|
setprop ro.SECONDARY_SERVER_ADJ 4
|
|
setprop ro.BACKUP_APP_ADJ 5
|
|
setprop ro.HOME_APP_ADJ 6
|
|
setprop ro.HIDDEN_APP_MIN_ADJ 7
|
|
setprop ro.EMPTY_APP_ADJ 15
|
|
|
|
# Define the memory thresholds at which the above process classes will
|
|
# be killed. These numbers are in pages (4k).
|
|
# These are currently tuned for tablets with approx 1GB RAM.
|
|
setprop ro.FOREGROUND_APP_MEM 8192
|
|
setprop ro.VISIBLE_APP_MEM 10240
|
|
setprop ro.PERCEPTIBLE_APP_MEM 12288
|
|
setprop ro.HEAVY_WEIGHT_APP_MEM 12288
|
|
setprop ro.SECONDARY_SERVER_MEM 14336
|
|
setprop ro.BACKUP_APP_MEM 14336
|
|
setprop ro.HOME_APP_MEM 14336
|
|
setprop ro.HIDDEN_APP_MEM 16384
|
|
setprop ro.EMPTY_APP_MEM 20480
|
|
|
|
# Old values for phones. Should probably be adjusted up for the next
|
|
# phone version.
|
|
#setprop ro.FOREGROUND_APP_MEM 2048
|
|
#setprop ro.VISIBLE_APP_MEM 3072
|
|
#setprop ro.PERCEPTIBLE_APP_MEM 4096
|
|
#setprop ro.HEAVY_WEIGHT_APP_MEM 4096
|
|
#setprop ro.SECONDARY_SERVER_MEM 6144
|
|
#setprop ro.BACKUP_APP_MEM 6144
|
|
#setprop ro.HOME_APP_MEM 6144
|
|
#setprop ro.HIDDEN_APP_MEM 7168
|
|
#setprop ro.EMPTY_APP_MEM 8192
|
|
|
|
# Write value must be consistent with the above properties.
|
|
# Note that the driver only supports 6 slots, so we have combined some of
|
|
# the classes into the same memory level; the associated processes of higher
|
|
# classes will still be killed first.
|
|
write /sys/module/lowmemorykiller/parameters/adj 0,1,2,4,7,15
|
|
|
|
write /proc/sys/vm/overcommit_memory 1
|
|
write /proc/sys/vm/min_free_order_shift 4
|
|
write /sys/module/lowmemorykiller/parameters/minfree 8192,10240,12288,14336,16384,20480
|
|
|
|
# Set init its forked children's oom_adj.
|
|
write /proc/1/oom_adj -16
|
|
|
|
# Tweak background writeout
|
|
write /proc/sys/vm/dirty_expire_centisecs 200
|
|
write /proc/sys/vm/dirty_background_ratio 5
|
|
|
|
# Permissions for System Server and daemons.
|
|
chown radio system /sys/android_power/state
|
|
chown radio system /sys/android_power/request_state
|
|
chown radio system /sys/android_power/acquire_full_wake_lock
|
|
chown radio system /sys/android_power/acquire_partial_wake_lock
|
|
chown radio system /sys/android_power/release_wake_lock
|
|
chown radio system /sys/power/state
|
|
chown radio system /sys/power/wake_lock
|
|
chown radio system /sys/power/wake_unlock
|
|
chmod 0660 /sys/power/state
|
|
chmod 0660 /sys/power/wake_lock
|
|
chmod 0660 /sys/power/wake_unlock
|
|
chown system system /sys/class/timed_output/vibrator/enable
|
|
chown system system /sys/class/leds/keyboard-backlight/brightness
|
|
chown system system /sys/class/leds/lcd-backlight/brightness
|
|
chown system system /sys/class/leds/button-backlight/brightness
|
|
chown system system /sys/class/leds/jogball-backlight/brightness
|
|
chown system system /sys/class/leds/red/brightness
|
|
chown system system /sys/class/leds/green/brightness
|
|
chown system system /sys/class/leds/blue/brightness
|
|
chown system system /sys/class/leds/red/device/grpfreq
|
|
chown system system /sys/class/leds/red/device/grppwm
|
|
chown system system /sys/class/leds/red/device/blink
|
|
chown system system /sys/class/leds/red/brightness
|
|
chown system system /sys/class/leds/green/brightness
|
|
chown system system /sys/class/leds/blue/brightness
|
|
chown system system /sys/class/leds/red/device/grpfreq
|
|
chown system system /sys/class/leds/red/device/grppwm
|
|
chown system system /sys/class/leds/red/device/blink
|
|
chown system system /sys/class/timed_output/vibrator/enable
|
|
chown system system /sys/module/sco/parameters/disable_esco
|
|
chown system system /sys/kernel/ipv4/tcp_wmem_min
|
|
chown system system /sys/kernel/ipv4/tcp_wmem_def
|
|
chown system system /sys/kernel/ipv4/tcp_wmem_max
|
|
chown system system /sys/kernel/ipv4/tcp_rmem_min
|
|
chown system system /sys/kernel/ipv4/tcp_rmem_def
|
|
chown system system /sys/kernel/ipv4/tcp_rmem_max
|
|
chown root radio /proc/cmdline
|
|
|
|
# Define TCP buffer sizes for various networks
|
|
# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
|
|
setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
|
|
setprop net.tcp.buffersize.wifi 4095,87380,110208,4096,16384,110208
|
|
setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208
|
|
setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040
|
|
setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680
|
|
|
|
# Set this property so surfaceflinger is not started by system_init
|
|
setprop system_init.startsurfaceflinger 0
|
|
|
|
class_start core
|
|
class_start main
|
|
|
|
on nonencrypted
|
|
class_start late_start
|
|
|
|
on property:vold.decrypt=trigger_reset_main
|
|
class_reset main
|
|
|
|
on property:vold.decrypt=trigger_load_persist_props
|
|
load_persist_props
|
|
|
|
on property:vold.decrypt=trigger_post_fs_data
|
|
trigger post-fs-data
|
|
|
|
on property:vold.decrypt=trigger_restart_min_framework
|
|
class_start main
|
|
|
|
on property:vold.decrypt=trigger_restart_framework
|
|
class_start main
|
|
class_start late_start
|
|
|
|
on property:vold.decrypt=trigger_shutdown_framework
|
|
class_reset late_start
|
|
class_reset main
|
|
|
|
## Daemon processes to be run by init.
|
|
##
|
|
service ueventd /sbin/ueventd
|
|
class core
|
|
critical
|
|
|
|
service console /system/bin/sh
|
|
class core
|
|
console
|
|
disabled
|
|
user shell
|
|
group log
|
|
|
|
on property:ro.debuggable=1
|
|
start console
|
|
|
|
# adbd is controlled by the persist.service.adb.enable system property
|
|
service adbd /sbin/adbd
|
|
class core
|
|
disabled
|
|
|
|
# adbd on at boot in emulator
|
|
on property:ro.kernel.qemu=1
|
|
start adbd
|
|
|
|
on property:persist.service.adb.enable=1
|
|
start adbd
|
|
|
|
on property:persist.service.adb.enable=0
|
|
stop adbd
|
|
|
|
service servicemanager /system/bin/servicemanager
|
|
class core
|
|
user system
|
|
group system
|
|
critical
|
|
onrestart restart zygote
|
|
onrestart restart media
|
|
|
|
service vold /system/bin/vold
|
|
class core
|
|
socket vold stream 0660 root mount
|
|
ioprio be 2
|
|
|
|
service netd /system/bin/netd
|
|
class main
|
|
socket netd stream 0660 root system
|
|
socket dnsproxyd stream 0660 root inet
|
|
|
|
service debuggerd /system/bin/debuggerd
|
|
class main
|
|
|
|
service ril-daemon /system/bin/rild
|
|
class late_start
|
|
socket rild stream 660 root radio
|
|
socket rild-debug stream 660 radio system
|
|
user root
|
|
group radio cache inet misc audio sdcard_rw
|
|
|
|
service surfaceflinger /system/bin/surfaceflinger
|
|
class main
|
|
user system
|
|
group graphics
|
|
onrestart restart zygote
|
|
|
|
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
|
|
class main
|
|
socket zygote stream 666
|
|
onrestart write /sys/android_power/request_state wake
|
|
onrestart write /sys/power/state on
|
|
onrestart restart surfaceflinger
|
|
onrestart restart media
|
|
onrestart restart netd
|
|
|
|
service drm /system/bin/drmserver
|
|
class main
|
|
user drm
|
|
group system inet
|
|
|
|
service media /system/bin/mediaserver
|
|
class main
|
|
user media
|
|
group audio camera inet net_bt net_bt_admin
|
|
ioprio rt 4
|
|
|
|
service bootanim /system/bin/bootanimation
|
|
class main
|
|
user graphics
|
|
group graphics
|
|
disabled
|
|
oneshot
|
|
|
|
service dbus /system/bin/dbus-daemon --system --nofork
|
|
class main
|
|
socket dbus stream 660 bluetooth bluetooth
|
|
user bluetooth
|
|
group bluetooth net_bt_admin
|
|
|
|
service bluetoothd /system/bin/bluetoothd -n
|
|
class main
|
|
socket bluetooth stream 660 bluetooth bluetooth
|
|
socket dbus_bluetooth stream 660 bluetooth bluetooth
|
|
# init.rc does not yet support applying capabilities, so run as root and
|
|
# let bluetoothd drop uid to bluetooth with the right linux capabilities
|
|
group bluetooth net_bt_admin misc
|
|
disabled
|
|
|
|
service installd /system/bin/installd
|
|
class main
|
|
socket installd stream 600 system system
|
|
|
|
service flash_recovery /system/etc/install-recovery.sh
|
|
class main
|
|
oneshot
|
|
|
|
service racoon /system/bin/racoon
|
|
class main
|
|
socket racoon stream 600 system system
|
|
# racoon will setuid to vpn after getting necessary resources.
|
|
group net_admin
|
|
disabled
|
|
oneshot
|
|
|
|
service mtpd /system/bin/mtpd
|
|
class main
|
|
socket mtpd stream 600 system system
|
|
user vpn
|
|
group vpn net_admin net_raw
|
|
disabled
|
|
oneshot
|
|
|
|
service keystore /system/bin/keystore /data/misc/keystore
|
|
class main
|
|
user keystore
|
|
group keystore
|
|
socket keystore stream 666
|
|
|
|
service dumpstate /system/bin/dumpstate -s
|
|
class main
|
|
socket dumpstate stream 0660 shell log
|
|
disabled
|
|
oneshot
|