init.rc: Lock down access to /proc/net/fib_trie

Make /proc/net/fib_trie only readable to root. Bug: 31269937 Test: Device boots, file has appropriate permissions. Change-Id: I0d01ce5c043d576344a6732b0b9ff93d62fcaa34
author: Nick Kralevich <nnk@google.com> 2017-08-25 12:55:52 -0700
committer: Andreas Blaesius <skate4life@gmx.de> 2018-01-14 13:03:38 +0100
commit: f86d75d049acf34d3cb6cf410e1a6d9b5cf84094 (patch)
tree: 5dc2d9959a0571f258c7522bc0a5a18cea03087c
parent: 35b8c2451b64d7b75dea066a75f09f7c412b78e9 (diff)
download: system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.tar.gz
system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.tar.bz2
system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 1c6fca642..cfcab625a 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -125,6 +125,9 @@ on init
     write /proc/sys/net/ipv4/conf/all/accept_redirects 0
     write /proc/sys/net/ipv6/conf/all/accept_redirects 0
 
+    # /proc/net/fib_trie leaks interface IP addresses
+    chmod 0400 /proc/net/fib_trie
+
     # Create cgroup mount points for process groups
     mkdir /dev/cpuctl
     mount cgroup none /dev/cpuctl cpu
author	Nick Kralevich <nnk@google.com>	2017-08-25 12:55:52 -0700
committer	Andreas Blaesius <skate4life@gmx.de>	2018-01-14 13:03:38 +0100
commit	f86d75d049acf34d3cb6cf410e1a6d9b5cf84094 (patch)
tree	5dc2d9959a0571f258c7522bc0a5a18cea03087c
parent	35b8c2451b64d7b75dea066a75f09f7c412b78e9 (diff)
download	system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.tar.gz system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.tar.bz2 system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.zip