Adding users for OEM native cod

by Dan Hein » Tue, 01 Sep 2009 14:41:35 GMT


Sponsored Links
 What if I want to add another oemuser, similar to "radio" such that I
can support neato_oem_widgit or neato_oem_daemon?  How do I do this in
Android such that I can better architect areas of code that need
privileged execution from those that do not, e.g. such as in the
following:


 http://nob.cs.ucdavis.edu/bishop/secprog/ 

 http://www.aquaphoenix.com/ref/gnu_c_library/libc_438.html 


I am currently running neato_oem_daemon as root.  I want to reduce its
privilege level to "oemuser", to better sandbox it, restrict the files
it can read/write, and give it it's own system properties,  etc.
However, reading the the current warnings about changing the AID list
in private/android_filesystem_config.h make it seem that adding such a
user is not possible.

What is the best way to do this (use setuid, restrict files for
oem_daemon, impart system properties to oem_daemon) in the bowls of
Android without messing up more widespread platform assumptions about
user IDs?

Thanks,
Dan



Adding users for OEM native cod

by JoelV » Wed, 02 Sep 2009 17:23:08 GMT


 Good question Dan, I had a similar one that I posted to the porting
forum a while back, see 


Sponsored Links


Adding users for OEM native cod

by Dianne Hackborn » Wed, 02 Sep 2009 19:07:07 GMT


 The only uids android uses as far as I know are those defined in the
filesystem header, and everything from 10000 and above for dynamically
assigning to applications.




> 



Adding users for OEM native cod

by Dan Hein » Wed, 02 Sep 2009 20:32:17 GMT


 Thanks Dianne.

I think what Joel and I are really asking is whether or not we can
submit a patch to files such as

system/core/include/private/android_filesystem_config.h
frameworks/base/cmds/servicemanager/service_manager.c

where we define a AID range for OEM use.  As Joel suggested, 9000-9100.

I think Joel and I want to follow best practices by running
'oem_widget' with least privilege and with proper confinement.

Joel,

If this suggestion goes anywhere, we'd probably want to make the range
even larger, just to be forward-looking.

Many thanks,
Dan





>> 



Adding users for OEM native cod

by Dianne Hackborn » Wed, 02 Sep 2009 21:24:52 GMT


 That would be fine with me.






> 



Adding users for OEM native cod

by JoelV » Thu, 03 Sep 2009 18:16:48 GMT


 Thanks Dianne, Dan. I'm fine with broadening the OEM ID range that we
allocate, although I suspect that we won't have too many cases for a
device/device family where we'd need more than 100.

-Joel




>



Adding users for OEM native cod

by Dianne Hackborn » Thu, 03 Sep 2009 21:28:14 GMT


 Yeah 100 is quite a lot. :)  We probably don't even have half that number
used by the full platform, even counting all of the dynamic IDs assigned to
each of the built-in .apks. ;)









-- 
Dianne Hackborn
Android framework engineer
hack...@android.com

Note: please don't send private questions to me, as I don't have time to
provide private support, and so won't reply to such e-mails.  All such
questions should be posted on public forums, where I and others can see and
answer them.



Adding users for OEM native cod

by Dan Hein » Fri, 04 Sep 2009 03:42:46 GMT


 The attached patches show what I'm thinking.






>



Other Threads

1. Sprint 4G Evo phone

Hi,

Sprint has announced a 4G phone... as far as I can tell it will run
WiMAX on Android 2.1

So where are the TelephonyManager phonetype, signalstrengh, cell
location et al. ? Or is this an HTC customization of Android we won't
see elsewhere ? After all there are some cupcake builds with CDMA...

Thanks!

-- 

2. Download a file from a URL extremely slow, am I doing it right?

I'm currently testing whether reading the entire file into memory,
then doing one write is faster.  So far it seems to be only slightly
faster (still downloading).  I suspect the BufferedOutputStream
eliminates this optimization's value, and probably is safer than
allocating a large ~7MB block of memory.

I tried to run my app without the de{*filter*} but haven't yet figured out
how to do that.  When I disconnect the device from the USB and then
run it from the phone it just comes up saying "Waiting for de{*filter*}",
haven't had the chance yet to figure out how to make it no longer wait
for the de{*filter*} to connect.  I'll try that know and let you know my
results.

Thanks!

Rob






-- 

3. Apps not shown in 2.1 Market

4. Being legally harassed, by a large iPhone developer

5. Is this the limitation of Intent.ACTION_SEND

6. Download a file from a URL extremely slow, am I doing it right?

7. Did Google really remove the ability to call the CropImage activity from Android 2.x apps?