diff options
Diffstat (limited to 'zh-cn/devices/tech/config/ambient.html')
| -rw-r--r-- | zh-cn/devices/tech/config/ambient.html | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/zh-cn/devices/tech/config/ambient.html b/zh-cn/devices/tech/config/ambient.html new file mode 100644 index 00000000..6f7f1eb4 --- /dev/null +++ b/zh-cn/devices/tech/config/ambient.html @@ -0,0 +1,98 @@ +<html devsite><head> + <title>实现 Ambient 权能</title> + <meta name="project_path" value="/_project.yaml"/> + <meta name="book_path" value="/_book.yaml"/> + </head> + <body> + <!-- + Copyright 2017 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + + <p> +借助此类权能,Linux 进程可以舍弃大多数类似于 root 的权限,同时保留执行其权能所需的权限。此类权能的原始实现使得经过 fork + exec 处理的进程无法继承权能,除非正在执行的文件已配置文件权能。而文件权能会带来安全风险,这是因为任何进程只要执行具有文件权能的文件,则一律会获得这些权能。 + </p> + <p> +Ambient 权能允许系统服务在其 <code>.rc</code> 文件中配置各项权能,从而将其所有配置放入单个文件中,而不必将权能配置单独放入 <code>fs_config.c</code> 文件中。 + </p> + <h2 id="reference-implementation">参考实现</h2> + <p> +参考实现是 Android 通用内核 <a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/</a> + </p> + <h2 id="required-patches">必需的补丁程序</h2> + <p> +必需的补丁程序已反向移植到所有相关的 Android 通用内核分支。 + </p> + <p> +主要 Ambient 权能补丁程序 <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08</a> 已反向移植到: + +</p> + <ul> + <li>android-3.10 分支: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/bdcd4484f1b399dfcb2fd7dd82b6869b2b6b60cd">https://android.googlesource.com/kernel/common/+/bdcd4484f1b399dfcb2fd7dd82b6869b2b6b60cd</a> + </li></ul> + </li><li>android-3.14 分支: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/5440f16f1296ca05f33dfde51e8bb7ad48699640">https://android.googlesource.com/kernel/common/+/5440f16f1296ca05f33dfde51e8bb7ad48699640</a> + </li></ul> + </li><li>android-3.18: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/d6a9a74487e86b528c44965f871de75671b6adb0">https://android.googlesource.com/kernel/common/+/d6a9a74487e86b528c44965f871de75671b6adb0</a> + </li></ul> + </li><li>android-4.1: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/0381789d78d552462ef576d9759e9aa6fcaae3bb">https://android.googlesource.com/kernel/common/+/0381789d78d552462ef576d9759e9aa6fcaae3bb</a></li> + </ul> + </li></ul> + + <p> +一个小的安全修复程序 <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7f76ea2ef6739ee484a165ffbac98deb855d3d3">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7f76ea2ef6739ee484a165ffbac98deb855d3d3</a> 已反向移植到:</p> + + <ul> + <li>android-3.10 分支: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/ef89def080c52eb7ea6a9455eb32b1b05867133b">https://android.googlesource.com/kernel/common/+/ef89def080c52eb7ea6a9455eb32b1b05867133b</a> + </li></ul> + </li><li>android-3.14 分支: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/f75626b3092fad4e0bd8f2aed06947352781eb77">https://android.googlesource.com/kernel/common/+/f75626b3092fad4e0bd8f2aed06947352781eb77</a> + </li></ul> + </li><li>android-3.18: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/7bc0ef844a537ebb786ba0574932bd65751818c6">https://android.googlesource.com/kernel/common/+/7bc0ef844a537ebb786ba0574932bd65751818c6</a> + </li></ul> + </li><li>android-4.1: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/dda568cc40d855bde2dfa9c04a7a1628c80b7f63">https://android.googlesource.com/kernel/common/+/dda568cc40d855bde2dfa9c04a7a1628c80b7f63</a></li> + </ul> + </li></ul> + + <p> +版本低于 3.18 的内核所需的内存泄漏修复程序 <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d6f3328422a3bc56b0d8dd026a5de845d2abfa7">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d6f3328422a3bc56b0d8dd026a5de845d2abfa7</a> 已反向移植到: +</p> + + <ul> + <li>android-3.10 分支: + <ul> + <li><a href="https://android.googlesource.com/kernel/common/+/900e52782988ee11a1cb7d600e9edea48fc70f0f">https://android.googlesource.com/kernel/common/+/900e52782988ee11a1cb7d600e9edea48fc70f0f</a></li> + </ul> + </li></ul> + + <h2 id="validation">验证</h2> + <p> + <a href="https://android.googlesource.com/platform/bionic/+/master#Running-the-tests">仿生单元测试</a>包括针对 Ambient 权能的单元测试。此外,如果在 Android init 中为某项服务使用“capabilities”关键字,然后检查该服务是否获得了预期的权能,则可以对 Ambient 权能进行运行时测试。 + </p> + +</body></html>
\ No newline at end of file |