Confirm
502
edits
Changes
m
→OS Hardening
* Review of system daemons setup (wpa_supplicant, gpsd, etc)
* Compilation of the software with full ASLR support (incl. linker) and SSP/PIE binaries has been found to currently impact the runtime performance significantly.
* Mount point should contain the following mount options (and may contain more options):
{| border="1"
|| /mnt/sdcard || ext4-or-vfat || read-write, nosuid, nodev, noexec, uid=1000, fmask=0702, dmask=0702
|-
|| /acct || cgroup || read-write, nosuid, nodev, noexec
|-
|| /dev/cpuctl || cgroup || read-write, nosuid, nodev, noexec
|}
* If any additional mount is present, the rational is that only areas that contain user-content may be read-write (unless the OS itself require a new read-write area in the future), and must include nodev, nosuid, noexec options.
* Mount points path may vary
* Updates are signed in the update file (MAR format, see also: https://wiki.mozilla.org/Software_Update:MAR)
See https://bugzilla.mozilla.org/show_bug.cgi?id=715816 for implementation (in progress)
== Protecting the user data ==
