Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a2278040 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "init: Drop inheritable capabilities when switching uids"

parents 3dfba33d 94fb5b0b

init/capabilities.cpp

+13 −0
Original line number Diff line number Diff line
@@ -194,5 +194,18 @@ bool SetCapsForExec(const CapSet& to_keep) { 
    return SetAmbientCaps(to_keep);

}



bool DropInheritableCaps() {

    ScopedCaps caps(cap_get_proc());

    if (cap_clear_flag(caps.get(), CAP_INHERITABLE) == -1) {

        PLOG(ERROR) << "cap_clear_flag(INHERITABLE) failed";

        return false;

    }

    if (cap_set_proc(caps.get()) != 0) {

        PLOG(ERROR) << "cap_set_proc() failed";

        return false;

    }

    return true;

}



}  // namespace init

}  // namespace android

init/capabilities.h

+1 −0
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ int LookupCap(const std::string& cap_name); 
bool CapAmbientSupported();

unsigned int GetLastValidCap();

bool SetCapsForExec(const CapSet& to_keep);

bool DropInheritableCaps();



}  // namespace init

}  // namespace android

init/service.cpp

+5 −0
Original line number Diff line number Diff line
@@ -291,6 +291,11 @@ void Service::SetProcessAttributes() { 
        if (!SetCapsForExec(capabilities_)) {

            LOG(FATAL) << "cannot set capabilities for " << name_;

        }

    } else if (uid_) {

        // Inheritable caps can be non-zero when running in a container.

        if (!DropInheritableCaps()) {

            LOG(FATAL) << "cannot drop inheritable caps for " << name_;

        }

    }

}