diff options
author | Nick Kralevich <nnk@google.com> | 2017-08-25 12:55:52 -0700 |
---|---|---|
committer | Andreas Blaesius <skate4life@gmx.de> | 2018-01-14 13:03:38 +0100 |
commit | f86d75d049acf34d3cb6cf410e1a6d9b5cf84094 (patch) | |
tree | 5dc2d9959a0571f258c7522bc0a5a18cea03087c | |
parent | 35b8c2451b64d7b75dea066a75f09f7c412b78e9 (diff) | |
download | system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.tar.gz system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.tar.bz2 system_core-f86d75d049acf34d3cb6cf410e1a6d9b5cf84094.zip |
init.rc: Lock down access to /proc/net/fib_trie
Make /proc/net/fib_trie only readable to root.
Bug: 31269937
Test: Device boots, file has appropriate permissions.
Change-Id: I0d01ce5c043d576344a6732b0b9ff93d62fcaa34
-rw-r--r-- | rootdir/init.rc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/rootdir/init.rc b/rootdir/init.rc index 1c6fca642..cfcab625a 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -125,6 +125,9 @@ on init write /proc/sys/net/ipv4/conf/all/accept_redirects 0 write /proc/sys/net/ipv6/conf/all/accept_redirects 0 + # /proc/net/fib_trie leaks interface IP addresses + chmod 0400 /proc/net/fib_trie + # Create cgroup mount points for process groups mkdir /dev/cpuctl mount cgroup none /dev/cpuctl cpu |