coderobe
commented
6 years ago This should probably also be merged into all other watch model layers
Closed coderobe closed 6 years ago
coderobe
commented
6 years ago This should probably also be merged into all other watch model layers
MoNTE48
commented
6 years ago пятница, 18 мая 2018 г., 21:20 +0200 от Robin B. notifications@github.com:
This should probably also be merged into all other watch model layers — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub , or mute the thread .
FlorentRevest
commented
6 years ago Mhh, it looks like this port didn't follow the instructions from https://asteroidos.org/wiki/porting-guide/ correctly. Calling this script: https://github.com/AsteroidOS/meta-asteroid/blob/master/scripts/check-config#L216 should have disabled the paranoid network option. Anyway, thanks for your finding!
Android adds a "paranoid network" option to the Linux kernel, which restricts access to some networking features depending on the group of the calling process. This option should not be set in any other OS not using Android security model - because it requires 4 groups with specific UIDs (3001-3005) to exist, and all relevant users to be added to them - which in our case would be all users anyways, as that's the "traditional" behavior.
This prevents regular users from performing nslookup, curl, wget, or anything else using socket() that isn't suid root
See https://elinux.org/Android_Security#Paranoid_network-ing for more info.