Difference between revisions of "Keeping your port secure"

From Omni
Jump to: navigation, search
(Added patch link for CVE-2014-4943)
(Added link to "net: guard tcp_set_keepalive() to tcp sockets")
Line 24: Line 24:
* https://github.com/torvalds/linux/commit/e9c243a5a6de0be8e584c604d353412584b592f8
* https://github.com/torvalds/linux/commit/e9c243a5a6de0be8e584c604d353412584b592f8
* https://github.com/torvalds/linux/commit/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
* https://github.com/torvalds/linux/commit/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
* https://github.com/torvalds/linux/commit/3e10986d1d698140747fcfc2761ec9cb64c1d582
To cherry-pick those patches into your kernel:
To cherry-pick those patches into your kernel:

Latest revision as of 10:04, 15 September 2014

One of Omni's goal is to bring the best security to your devices. Besides the changes we can do at framework-level, there is a bunch of changes needed in device trees/kernels that we cannot do automatically.

Please make sure that your device trees and kernels follows the indications here.

Device trees

Check your init permissions

Make sure your init.*.rc files don't set unnecessary permissions. Compare them against a stock ROM.

Nothing should EVER have '777' or '666'.


Security patches

Please make sure your kernels have the following security patches from mainline kernel:

To cherry-pick those patches into your kernel:

git remote add linux https://github.com/torvalds/linux
git fetch linux
git cherry-pick <commit>

where commit can be 'c95eb3184ea1a3a2551df57190c81da695e2144b' for example for the first patch. If you get merge errors, it is likely the patch has already been applied. However you should make sure it really is, by checking the merge markers.

Another method that can be used (and in general allows reasonably easy cherry-picking from github):

wget https://github.com/torvalds/linux/commit/c95eb3184ea1a3a2551df57190c81da695e2144b.patch
git am c95eb3184ea1a3a2551df57190c81da695e2144b.patch
wget https://github.com/torvalds/linux/commit/6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0.patch
git am 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0.patch

In addition, please also ensure you apply the following patches from CAF:

https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483 (more information available at https://www.codeaurora.org/projects/security-advisories/missing-access-checks-putusergetuser-kernel-api-cve-2013-6282)