From d6fec06b797695fe1762b489abe5361ccc3c2005 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 27 Jan 2012 13:06:53 -0800
Subject: [PATCH] Restrict zygote to system user.

CVE-2011-3918: Address denial of service attack against Android's
zygote process. This change enforces that only UID=system can
directly connect to zygote to spawn processes.

Change-Id: I89f5f05fa44ba8582920b66854df3e79527ae067
---
 rootdir/init.rc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 05106963c7..840faa5823 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -412,7 +412,7 @@ service surfaceflinger /system/bin/surfaceflinger
 
 service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
     class main
-    socket zygote stream 666
+    socket zygote stream 660 root system
     onrestart write /sys/android_power/request_state wake
     onrestart write /sys/power/state on
     onrestart restart media
-- 
GitLab