Loading init/capabilities.cpp +38 −10 Original line number Original line Diff line number Diff line Loading @@ -25,8 +25,7 @@ #define CAP_MAP_ENTRY(cap) { #cap, CAP_##cap } #define CAP_MAP_ENTRY(cap) { #cap, CAP_##cap } namespace { static const std::map<std::string, int> cap_map = { const std::map<std::string, int> cap_map = { CAP_MAP_ENTRY(CHOWN), CAP_MAP_ENTRY(CHOWN), CAP_MAP_ENTRY(DAC_OVERRIDE), CAP_MAP_ENTRY(DAC_OVERRIDE), CAP_MAP_ENTRY(DAC_READ_SEARCH), CAP_MAP_ENTRY(DAC_READ_SEARCH), Loading Loading @@ -69,9 +68,30 @@ const std::map<std::string, int> cap_map = { static_assert(CAP_LAST_CAP == CAP_AUDIT_READ, "CAP_LAST_CAP is not CAP_AUDIT_READ"); static_assert(CAP_LAST_CAP == CAP_AUDIT_READ, "CAP_LAST_CAP is not CAP_AUDIT_READ"); bool DropBoundingSet(const CapSet& to_keep) { static bool ComputeCapAmbientSupported() { for (size_t cap = 0; cap < to_keep.size(); ++cap) { return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) >= 0; if (to_keep.test(cap)) { } static unsigned int ComputeLastValidCap() { // Android does not support kernels < 3.8. 'CAP_WAKE_ALARM' has been present since 3.0, see // http://lxr.free-electrons.com/source/include/linux/capability.h?v=3.0#L360. unsigned int last_valid_cap = CAP_WAKE_ALARM; for (; prctl(PR_CAPBSET_READ, last_valid_cap, 0, 0, 0) >= 0; ++last_valid_cap); // |last_valid_cap| will be the first failing value. return last_valid_cap - 1; } static bool DropBoundingSet(const CapSet& to_keep) { unsigned int last_valid_cap = GetLastValidCap(); // When dropping the bounding set, attempt to drop capabilities reported at // run-time, not at compile-time. // If the run-time kernel is older than the compile-time headers, this // avoids dropping an invalid capability. If the run-time kernel is newer // than the headers, this guarantees all capabilities (even those unknown at // compile time) will be dropped. for (size_t cap = 0; cap <= last_valid_cap; ++cap) { if (cap < to_keep.size() && to_keep.test(cap)) { // No need to drop this capability. // No need to drop this capability. continue; continue; } } Loading @@ -83,14 +103,14 @@ bool DropBoundingSet(const CapSet& to_keep) { return true; return true; } } bool SetProcCaps(const CapSet& to_keep, bool add_setpcap) { static bool SetProcCaps(const CapSet& to_keep, bool add_setpcap) { cap_t caps = cap_init(); cap_t caps = cap_init(); auto deleter = [](cap_t* p) { cap_free(*p); }; auto deleter = [](cap_t* p) { cap_free(*p); }; std::unique_ptr<cap_t, decltype(deleter)> ptr_caps(&caps, deleter); std::unique_ptr<cap_t, decltype(deleter)> ptr_caps(&caps, deleter); cap_clear(caps); cap_clear(caps); cap_value_t value[1]; cap_value_t value[1]; for (size_t cap = 0; cap <= to_keep.size(); ++cap) { for (size_t cap = 0; cap < to_keep.size(); ++cap) { if (to_keep.test(cap)) { if (to_keep.test(cap)) { value[0] = cap; value[0] = cap; if (cap_set_flag(caps, CAP_INHERITABLE, arraysize(value), value, CAP_SET) != 0 || if (cap_set_flag(caps, CAP_INHERITABLE, arraysize(value), value, CAP_SET) != 0 || Loading @@ -117,7 +137,7 @@ bool SetProcCaps(const CapSet& to_keep, bool add_setpcap) { return true; return true; } } bool SetAmbientCaps(const CapSet& to_raise) { static bool SetAmbientCaps(const CapSet& to_raise) { for (size_t cap = 0; cap < to_raise.size(); ++cap) { for (size_t cap = 0; cap < to_raise.size(); ++cap) { if (to_raise.test(cap)) { if (to_raise.test(cap)) { if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) != 0) { if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) != 0) { Loading @@ -129,8 +149,6 @@ bool SetAmbientCaps(const CapSet& to_raise) { return true; return true; } } } // namespace anonymous int LookupCap(const std::string& cap_name) { int LookupCap(const std::string& cap_name) { auto e = cap_map.find(cap_name); auto e = cap_map.find(cap_name); if (e != cap_map.end()) { if (e != cap_map.end()) { Loading @@ -140,6 +158,16 @@ int LookupCap(const std::string& cap_name) { } } } } bool CapAmbientSupported() { static bool cap_ambient_supported = ComputeCapAmbientSupported(); return cap_ambient_supported; } unsigned int GetLastValidCap() { static unsigned int last_valid_cap = ComputeLastValidCap(); return last_valid_cap; } bool SetCapsForExec(const CapSet& to_keep) { bool SetCapsForExec(const CapSet& to_keep) { // Need to keep SETPCAP to drop bounding set below. // Need to keep SETPCAP to drop bounding set below. bool add_setpcap = true; bool add_setpcap = true; Loading init/capabilities.h +7 −0 Original line number Original line Diff line number Diff line Loading @@ -12,6 +12,9 @@ // See the License for the specific language governing permissions and // See the License for the specific language governing permissions and // limitations under the License. // limitations under the License. #ifndef _INIT_CAPABILITIES_H #define _INIT_CAPABILITIES_H #include <linux/capability.h> #include <linux/capability.h> #include <bitset> #include <bitset> Loading @@ -20,4 +23,8 @@ using CapSet = std::bitset<CAP_LAST_CAP + 1>; using CapSet = std::bitset<CAP_LAST_CAP + 1>; int LookupCap(const std::string& cap_name); int LookupCap(const std::string& cap_name); bool CapAmbientSupported(); unsigned int GetLastValidCap(); bool SetCapsForExec(const CapSet& to_keep); bool SetCapsForExec(const CapSet& to_keep); #endif // _INIT_CAPABILITIES_H init/service.cpp +17 −2 Original line number Original line Diff line number Diff line Loading @@ -312,13 +312,28 @@ void Service::DumpState() const { bool Service::ParseCapabilities(const std::vector<std::string>& args, std::string* err) { bool Service::ParseCapabilities(const std::vector<std::string>& args, std::string* err) { capabilities_ = 0; capabilities_ = 0; if (!CapAmbientSupported()) { *err = "capabilities requested but the kernel does not support ambient capabilities"; return false; } unsigned int last_valid_cap = GetLastValidCap(); if (last_valid_cap >= capabilities_.size()) { LOG(WARNING) << "last valid run-time capability is larger than CAP_LAST_CAP"; } for (size_t i = 1; i < args.size(); i++) { for (size_t i = 1; i < args.size(); i++) { const std::string& arg = args[i]; const std::string& arg = args[i]; int cap = LookupCap(arg); int res = LookupCap(arg); if (cap == -1) { if (res < 0) { *err = StringPrintf("invalid capability '%s'", arg.c_str()); *err = StringPrintf("invalid capability '%s'", arg.c_str()); return false; return false; } } unsigned int cap = static_cast<unsigned int>(res); // |res| is >= 0. if (cap > last_valid_cap) { *err = StringPrintf("capability '%s' not supported by the kernel", arg.c_str()); return false; } capabilities_[cap] = true; capabilities_[cap] = true; } } return true; return true; Loading Loading
init/capabilities.cpp +38 −10 Original line number Original line Diff line number Diff line Loading @@ -25,8 +25,7 @@ #define CAP_MAP_ENTRY(cap) { #cap, CAP_##cap } #define CAP_MAP_ENTRY(cap) { #cap, CAP_##cap } namespace { static const std::map<std::string, int> cap_map = { const std::map<std::string, int> cap_map = { CAP_MAP_ENTRY(CHOWN), CAP_MAP_ENTRY(CHOWN), CAP_MAP_ENTRY(DAC_OVERRIDE), CAP_MAP_ENTRY(DAC_OVERRIDE), CAP_MAP_ENTRY(DAC_READ_SEARCH), CAP_MAP_ENTRY(DAC_READ_SEARCH), Loading Loading @@ -69,9 +68,30 @@ const std::map<std::string, int> cap_map = { static_assert(CAP_LAST_CAP == CAP_AUDIT_READ, "CAP_LAST_CAP is not CAP_AUDIT_READ"); static_assert(CAP_LAST_CAP == CAP_AUDIT_READ, "CAP_LAST_CAP is not CAP_AUDIT_READ"); bool DropBoundingSet(const CapSet& to_keep) { static bool ComputeCapAmbientSupported() { for (size_t cap = 0; cap < to_keep.size(); ++cap) { return prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) >= 0; if (to_keep.test(cap)) { } static unsigned int ComputeLastValidCap() { // Android does not support kernels < 3.8. 'CAP_WAKE_ALARM' has been present since 3.0, see // http://lxr.free-electrons.com/source/include/linux/capability.h?v=3.0#L360. unsigned int last_valid_cap = CAP_WAKE_ALARM; for (; prctl(PR_CAPBSET_READ, last_valid_cap, 0, 0, 0) >= 0; ++last_valid_cap); // |last_valid_cap| will be the first failing value. return last_valid_cap - 1; } static bool DropBoundingSet(const CapSet& to_keep) { unsigned int last_valid_cap = GetLastValidCap(); // When dropping the bounding set, attempt to drop capabilities reported at // run-time, not at compile-time. // If the run-time kernel is older than the compile-time headers, this // avoids dropping an invalid capability. If the run-time kernel is newer // than the headers, this guarantees all capabilities (even those unknown at // compile time) will be dropped. for (size_t cap = 0; cap <= last_valid_cap; ++cap) { if (cap < to_keep.size() && to_keep.test(cap)) { // No need to drop this capability. // No need to drop this capability. continue; continue; } } Loading @@ -83,14 +103,14 @@ bool DropBoundingSet(const CapSet& to_keep) { return true; return true; } } bool SetProcCaps(const CapSet& to_keep, bool add_setpcap) { static bool SetProcCaps(const CapSet& to_keep, bool add_setpcap) { cap_t caps = cap_init(); cap_t caps = cap_init(); auto deleter = [](cap_t* p) { cap_free(*p); }; auto deleter = [](cap_t* p) { cap_free(*p); }; std::unique_ptr<cap_t, decltype(deleter)> ptr_caps(&caps, deleter); std::unique_ptr<cap_t, decltype(deleter)> ptr_caps(&caps, deleter); cap_clear(caps); cap_clear(caps); cap_value_t value[1]; cap_value_t value[1]; for (size_t cap = 0; cap <= to_keep.size(); ++cap) { for (size_t cap = 0; cap < to_keep.size(); ++cap) { if (to_keep.test(cap)) { if (to_keep.test(cap)) { value[0] = cap; value[0] = cap; if (cap_set_flag(caps, CAP_INHERITABLE, arraysize(value), value, CAP_SET) != 0 || if (cap_set_flag(caps, CAP_INHERITABLE, arraysize(value), value, CAP_SET) != 0 || Loading @@ -117,7 +137,7 @@ bool SetProcCaps(const CapSet& to_keep, bool add_setpcap) { return true; return true; } } bool SetAmbientCaps(const CapSet& to_raise) { static bool SetAmbientCaps(const CapSet& to_raise) { for (size_t cap = 0; cap < to_raise.size(); ++cap) { for (size_t cap = 0; cap < to_raise.size(); ++cap) { if (to_raise.test(cap)) { if (to_raise.test(cap)) { if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) != 0) { if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) != 0) { Loading @@ -129,8 +149,6 @@ bool SetAmbientCaps(const CapSet& to_raise) { return true; return true; } } } // namespace anonymous int LookupCap(const std::string& cap_name) { int LookupCap(const std::string& cap_name) { auto e = cap_map.find(cap_name); auto e = cap_map.find(cap_name); if (e != cap_map.end()) { if (e != cap_map.end()) { Loading @@ -140,6 +158,16 @@ int LookupCap(const std::string& cap_name) { } } } } bool CapAmbientSupported() { static bool cap_ambient_supported = ComputeCapAmbientSupported(); return cap_ambient_supported; } unsigned int GetLastValidCap() { static unsigned int last_valid_cap = ComputeLastValidCap(); return last_valid_cap; } bool SetCapsForExec(const CapSet& to_keep) { bool SetCapsForExec(const CapSet& to_keep) { // Need to keep SETPCAP to drop bounding set below. // Need to keep SETPCAP to drop bounding set below. bool add_setpcap = true; bool add_setpcap = true; Loading
init/capabilities.h +7 −0 Original line number Original line Diff line number Diff line Loading @@ -12,6 +12,9 @@ // See the License for the specific language governing permissions and // See the License for the specific language governing permissions and // limitations under the License. // limitations under the License. #ifndef _INIT_CAPABILITIES_H #define _INIT_CAPABILITIES_H #include <linux/capability.h> #include <linux/capability.h> #include <bitset> #include <bitset> Loading @@ -20,4 +23,8 @@ using CapSet = std::bitset<CAP_LAST_CAP + 1>; using CapSet = std::bitset<CAP_LAST_CAP + 1>; int LookupCap(const std::string& cap_name); int LookupCap(const std::string& cap_name); bool CapAmbientSupported(); unsigned int GetLastValidCap(); bool SetCapsForExec(const CapSet& to_keep); bool SetCapsForExec(const CapSet& to_keep); #endif // _INIT_CAPABILITIES_H
init/service.cpp +17 −2 Original line number Original line Diff line number Diff line Loading @@ -312,13 +312,28 @@ void Service::DumpState() const { bool Service::ParseCapabilities(const std::vector<std::string>& args, std::string* err) { bool Service::ParseCapabilities(const std::vector<std::string>& args, std::string* err) { capabilities_ = 0; capabilities_ = 0; if (!CapAmbientSupported()) { *err = "capabilities requested but the kernel does not support ambient capabilities"; return false; } unsigned int last_valid_cap = GetLastValidCap(); if (last_valid_cap >= capabilities_.size()) { LOG(WARNING) << "last valid run-time capability is larger than CAP_LAST_CAP"; } for (size_t i = 1; i < args.size(); i++) { for (size_t i = 1; i < args.size(); i++) { const std::string& arg = args[i]; const std::string& arg = args[i]; int cap = LookupCap(arg); int res = LookupCap(arg); if (cap == -1) { if (res < 0) { *err = StringPrintf("invalid capability '%s'", arg.c_str()); *err = StringPrintf("invalid capability '%s'", arg.c_str()); return false; return false; } } unsigned int cap = static_cast<unsigned int>(res); // |res| is >= 0. if (cap > last_valid_cap) { *err = StringPrintf("capability '%s' not supported by the kernel", arg.c_str()); return false; } capabilities_[cap] = true; capabilities_[cap] = true; } } return true; return true; Loading
