Browse files

Restrict zygote to system user.

CVE-2011-3918: Address denial of service attack against Android's
zygote process. This change enforces that only UID=system can
directly connect to zygote to spawn processes.

Change-Id: I89f5f05fa44ba8582920b66854df3e79527ae067
  • Loading branch information...
1 parent 486e637 commit a86a3bb5252c7e405b5aebf0631ed933c343773a @nickkral nickkral committed with tpruvot Jan 27, 2012
Showing with 1 addition and 1 deletion.
  1. +1 −1 rootdir/init.rc
@@ -443,7 +443,7 @@ service surfaceflinger /system/bin/surfaceflinger
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
class main
- socket zygote stream 666
+ socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart media

0 comments on commit a86a3bb

Please sign in to comment.