diff options
| -rw-r--r-- | src/devices/devices_toc.cs | 7 | ||||
| -rw-r--r-- | src/devices/tech/input/key-layout-files.jd | 5 | ||||
| -rw-r--r-- | src/devices/tech/security/enhancements42.jd (renamed from src/devices/tech/security/enhancements.jd) | 0 | ||||
| -rw-r--r-- | src/devices/tech/security/enhancements43.jd | 87 | ||||
| -rw-r--r-- | src/devices/tech/storage/index.jd | 36 |
5 files changed, 127 insertions, 8 deletions
diff --git a/src/devices/devices_toc.cs b/src/devices/devices_toc.cs index 4e514b6b..ac5c09ec 100644 --- a/src/devices/devices_toc.cs +++ b/src/devices/devices_toc.cs @@ -154,10 +154,15 @@ </div> <ul> <li> - <a href="<?cs var:toroot ?>devices/tech/security/enhancements.html"> + <a href="<?cs var:toroot ?>devices/tech/security/enhancements42.html"> <span class="en">Security Enhancements in Android 4.2</span> </a> </li> + <li> + <a href="<?cs var:toroot ?>devices/tech/security/enhancements43.html"> + <span class="en">Security Enhancements in Android 4.3</span> + </a> + </li> </ul> </li> diff --git a/src/devices/tech/input/key-layout-files.jd b/src/devices/tech/input/key-layout-files.jd index 63fbcac6..e9258818 100644 --- a/src/devices/tech/input/key-layout-files.jd +++ b/src/devices/tech/input/key-layout-files.jd @@ -108,9 +108,10 @@ then both <code>AXIS_GAS</code> and <code>AXIS_BRAKE</code> are set to <code>0</ <p>An inverted axis inverts the sign of the axis value.</p> <p>The following declaration maps <code>ABS_RZ</code> (indicated by <code>0x05</code>) to <code>AXIS_BRAKE</code> (indicated by <code>BRAKE</code>), and inverts the output by negating it.</p> -<pre><code>axis 0x05 invert AXIS_RZ +<pre><code>axis 0x05 invert BRAKE </code></pre> -<p>In the above example, if the value of <code>ABS_RZ</code> is <code>2</code> then <code>AXIS_RZ</code> is set to <code>-2</code>.</p> +<p>In the above example, if the value of <code>ABS_RZ</code> is <code>2</code> then +<code>AXIS_BRAKE</code> is set to <code>-2</code>.</p> <h4 id="center-flat-position-option">Center Flat Position Option</h4> <p>The Linux input protocol provides a way for input device drivers to specify the center flat position of joystick axes but not all of them do and some of them diff --git a/src/devices/tech/security/enhancements.jd b/src/devices/tech/security/enhancements42.jd index 4044a1ea..4044a1ea 100644 --- a/src/devices/tech/security/enhancements.jd +++ b/src/devices/tech/security/enhancements42.jd diff --git a/src/devices/tech/security/enhancements43.jd b/src/devices/tech/security/enhancements43.jd new file mode 100644 index 00000000..277e010a --- /dev/null +++ b/src/devices/tech/security/enhancements43.jd @@ -0,0 +1,87 @@ +page.title=Security Enhancements in Android 4.3 +@jd:body + +<p> +Every Android release includes dozens of security enhancements to protect +users. The following are some of the security enhancements available +in Android 4.3: +</p> + +<ul> + <li><strong>Android sandbox reinforced with SELinux.</strong> + This release strengthens the Android sandbox using the SELinux + mandatory access control system (MAC) in the Linux kernel. SELinux + reinforcement is invisible to users and developers, and adds robustness + to the existing Android security model while maintaining compatibility + with existing applications. To ensure continued compatibility this release + allows the use of SELinux in a permissive mode. This mode logs any policy + violations, but will not break applications or affect system behavior.</li> + + <li><strong>No setuid/setgid programs.</strong> + Added support for filesystem capabilities + to Android system files and removed all setuid/setguid programs. This + reduces root attack surface and the likelihood of potential security + vulnerabilities.</li> + + <li><strong>ADB Authentication.</strong> + Since Android 4.2.2, connections to ADB are + authenticated with an RSA keypair. This prevents unauthorized use of + ADB where the attacker has physical access to a device.</li> + + <li><strong>Restrict Setuid from Android Apps.</strong> + The /system partition is now mounted + nosuid for zygote-spawned processes, preventing Android applications + from executing setuid programs. This reduces root attack surface and + the likelihood of potential security vulnerabilities.</li> + + <li><strong>Capability bounding.</strong> + Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop + unnecessary capabilities prior to executing applications. + This prevents Android applications and applications launched from + the shell from acquiring privileged capabilities.</li> + + <li><strong>AndroidKeyStore Provider.</strong> + Android now has a keystore provider that allows + applications to create exclusive use keys. This provides applications + with an API to create or store private keys that cannot be used by + other applications.</li> + + <li><strong>KeyChain isBoundKeyAlgorithm.</strong> + Keychain API now provides a method + (isBoundKeyType) that allows applications to confirm that system-wide keys + are bound to a hardware root of trust for the device. This provides + a place to create or store private keys that cannot be exported off the + device, even in the event of a root compromise.</li> + + <li><strong>NO_NEW_PRIVS.</strong> + Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition + of new privileges prior to execution application code. This + prevents Android applications from performing operations which can + elevate privileges via execve. (This requires Linux kernel version 3.5 + or greater).</li> + + <li><strong>FORTIFY_SOURCE enhancements.</strong> + Enabled FORTIFY_SOURCE on Android x86 and MIPS + and fortified strchr(), strrchr(), strlen(), and umask() calls. This + can detect potential memory corruption vulnerabilities or unterminated + string constants.</li> + + <li><strong>Relocation protections.</strong> + Enabled read only relocations (relro) for + statically linked executables and removed all text relocations in Android + code. This provides defense in depth against potential memory corruption + vulnerabilities.</li> + + <li><strong>Improved EntropyMixer.</strong> + EntropyMixer now writes entropy at shutdown / + reboot, in addition to periodic mixing. This allows retention of all + entropy generated while devices are powered on, and is especially useful + for devices that are rebooted immediately after provisioning.</li> + + <li><strong>Security Fixes.</strong> + Android 4.3 also includes fixes for Android-specific + vulnerabilities. Information about these vulnerabilities has been provided + to Open Handset Alliance members and fixes are available in Android Open + Source Project. To improve security, some devices with earlier versions + of Android may also include these fixes.</li> +</ul> diff --git a/src/devices/tech/storage/index.jd b/src/devices/tech/storage/index.jd index 71ea31c0..0f1b2678 100644 --- a/src/devices/tech/storage/index.jd +++ b/src/devices/tech/storage/index.jd @@ -26,8 +26,10 @@ developers through API.</p> <p>External storage is managed by a combination of the <code>vold</code> init service and <code>MountService</code> system service.</p> <p>Mounting of physical external storage volumes is handled by <code>vold</code>, which -performs staging operations to prepare the media before exposing it to apps. -The device-specific <code>vold.fstab</code> configuration file defines mappings from sysfs +performs staging operations to prepare the media before exposing it to apps.</p> + +<p>For Android 4.2.2 and earlier, the device-specific <code>vold.fstab</code> +configuration file defines mappings from sysfs devices to filesystem mount points, and each line follows this format:</p> <pre><code>dev_mount <label> <mount_point> <partition> <sysfs_path> [flags] </code></pre> @@ -40,6 +42,25 @@ point. Separated by spaces, and each must start with <code>/</code>.</li> <li><code>flags</code>: Optional comma separated list of flags, must not contain <code>/</code>. Possible values include <code>nonremovable</code> and <code>encryptable</code>.</li> </ul> +<p>For Android releases 4.3 and later, the various fstab files used by init, vold and +recovery were unified in the <code>/fstab.<device></code> file. For external +storage volumes that are managed by <code>vold</code>, the entries should have the +following format:</p> +<pre><code><src> <mnt_point> <type> <mnt_flags> <fs_mgr_flags> +</code></pre> +<ul> +<li><code>src</code>: A path under sysfs (usually mounted at /sys) to the device that +can provide the mount point. The path must start with <code>/</code>.</li> <li><code>mount_point</code>: Filesystem path where the volume should be mounted.</li> +<li><code>type</code>: The type of the filesystem on the volume. For external cards, +this is usually <code>vfat</code>.</li> +<li><code>mnt_flags</code>: <code>Vold</code> ignores this field and it should be set +to <code>defaults</code></li> +<li><code>fs_mgr_flags</code>: <code>Vold</code> ignores any lines in the unified fstab +that do not include the <code>voldmanaged=</code> flag in this field. This flag must +be followed by a label describing the card, and a partition number or the word +<code>auto</code>. Here is an example: <code>voldmanaged=sdcard:auto</code>. +Other possible flags are <code>nonremovable</code> and <code>encryptable=sdcard</code>. +</ul> <p>External storage interactions at and above the framework level are handled through <code>MountService</code>. The device-specific <code>storage_list.xml</code> configuration file, typically provided through a <code>frameworks/base</code> overlay, defines the @@ -74,13 +95,18 @@ environment variable must be defined as the path to the primary external storage. The <code>/sdcard</code> path must also resolve to the same location, possibly through a symlink. If a device adjusts the location of external storage between platform updates, symlinks should be created so that old paths continue working.</p> -<p>As an example, here’s the storage configuration for Xoom, which uses a FUSE -daemon to provide primary external storage, and includes a physical SD card as +<p>As an example for Android 4.2.2 and earlier, here's the storage configuration for Xoom, +which uses a FUSE daemon to provide primary external storage, and includes a physical SD card as secondary external storage:</p> <ul> <li><a href="https://android.googlesource.com/device/moto/wingray/+/master/vold.fstab">vold.fstab</a></li> <li><a href="https://android.googlesource.com/device/moto/wingray/+/master/overlay/frameworks/base/core/res/res/xml/storage_list.xml">storage_list.xml</a></li> </ul> +<p>As an example for Android 4.3 and later devices, here's the <code>fstab.goldfish</code> file +for the Android emulator, which emulates an external SD card as primary external storage:</p> +<ul> +<li><a href="https://android.googlesource.com/device/generic/goldfish/+/master/fstab.goldfish">fstab.goldfish</a></li> +</ul> <p>Access to external storage is protected by various Android permissions. Starting in Android 1.0, write access is protected with the <code>WRITE_EXTERNAL_STORAGE</code> permission, implemented using the <code>sdcard_rw</code> GID. @@ -113,7 +139,7 @@ storage into that private namespace.</p> it bind mounts the appropriate user-specific subdirectory from under the FUSE daemon to <code>EMULATED_STORAGE_TARGET</code> so that external storage paths resolve correctly for the app. Because an app lacks accessible mount points for other -users’ storage, they can only access storage for the user it was started as.</p> +users' storage, they can only access storage for the user it was started as.</p> <p>This implementation also uses the shared subtree kernel feature to propagate mount events from the default root namespace into app namespaces, which ensures that features like ASEC containers and OBB mounting continue working correctly. |