Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9862ef94 authored by Josh Gao's avatar Josh Gao Committed by android-build-merger
Browse files

zygote: make all capabilities inheritable. am: 45dab78e am: 0f2a0b99 

am: 6f372daa

Change-Id: I1144d36ccaafa5d60249eaecbb8c5845c263a666
parents 83a2e949 6f372daa

core/jni/com_android_internal_os_Zygote.cpp

+30 −3
Original line number Original line Diff line number Diff line
@@ -253,13 +253,36 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) { 
        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "

        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "

              "your kernel is compiled with file capabilities support");

              "your kernel is compiled with file capabilities support");

      } else {

      } else {

        ALOGE("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno));

        RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");

        RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");

      }

      }

    }

    }

  }

  }

}

}





static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) {

static void SetInheritable(JNIEnv* env, uint64_t inheritable) {

  __user_cap_header_struct capheader;

  memset(&capheader, 0, sizeof(capheader));

  capheader.version = _LINUX_CAPABILITY_VERSION_3;

  capheader.pid = 0;



  __user_cap_data_struct capdata[2];

  if (capget(&capheader, &capdata[0]) == -1) {

    ALOGE("capget failed: %s", strerror(errno));

    RuntimeAbort(env, __LINE__, "capget failed");

  }



  capdata[0].inheritable = inheritable;

  capdata[1].inheritable = inheritable >> 32;



  if (capset(&capheader, &capdata[0]) == -1) {

    ALOGE("capset(inh=%" PRIx64 ") failed: %s", inheritable, strerror(errno));

    RuntimeAbort(env, __LINE__, "capset failed");

  }

}



static void SetCapabilities(JNIEnv* env, uint64_t permitted, uint64_t effective,

                            uint64_t inheritable) {

  __user_cap_header_struct capheader;

  __user_cap_header_struct capheader;

  memset(&capheader, 0, sizeof(capheader));

  memset(&capheader, 0, sizeof(capheader));

  capheader.version = _LINUX_CAPABILITY_VERSION_3;

  capheader.version = _LINUX_CAPABILITY_VERSION_3;
@@ -271,9 +294,12 @@ static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) { 
  capdata[1].effective = effective >> 32;

  capdata[1].effective = effective >> 32;

  capdata[0].permitted = permitted;

  capdata[0].permitted = permitted;

  capdata[1].permitted = permitted >> 32;

  capdata[1].permitted = permitted >> 32;

  capdata[0].inheritable = inheritable;

  capdata[1].inheritable = inheritable >> 32;





  if (capset(&capheader, &capdata[0]) == -1) {

  if (capset(&capheader, &capdata[0]) == -1) {

    ALOGE("capset(%" PRId64 ", %" PRId64 ") failed", permitted, effective);

    ALOGE("capset(perm=%" PRIx64 ", eff=%" PRIx64 ", inh=%" PRIx64 ") failed: %s", permitted,

          effective, inheritable, strerror(errno));

    RuntimeAbort(env, __LINE__, "capset failed");

    RuntimeAbort(env, __LINE__, "capset failed");

  }

  }

}

}
@@ -527,6 +553,7 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra 
      EnableKeepCapabilities(env);

      EnableKeepCapabilities(env);

    }

    }





    SetInheritable(env, permittedCapabilities);

    DropCapabilitiesBoundingSet(env);

    DropCapabilitiesBoundingSet(env);





    bool use_native_bridge = !is_system_server && (instructionSet != NULL)

    bool use_native_bridge = !is_system_server && (instructionSet != NULL)
@@ -599,7 +626,7 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra 
        }

        }

    }

    }





    SetCapabilities(env, permittedCapabilities, effectiveCapabilities);

    SetCapabilities(env, permittedCapabilities, effectiveCapabilities, permittedCapabilities);





    SetSchedulerPolicy(env);

    SetSchedulerPolicy(env);