Snap for 4706961 from c8679417 to pi-release

#include "sysdeps.h"

#include <errno.h>

#include <getopt.h>

#include <signal.h>

#include <stdio.h>

#include <stdlib.h>

#include <getopt.h>

#include <sys/capability.h>

#include <sys/prctl.h>

#include <memory>

static const char* root_seclabel = nullptr;

static void drop_capabilities_bounding_set_if_needed(struct minijail *j) {

static bool should_drop_capabilities_bounding_set() {

#if defined(ALLOW_ADBD_ROOT)

    if (__android_log_is_debuggable()) {

        return;

        return false;

    }

#endif

    minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));

    return true;

}

static bool should_drop_privileges() {

    // Don't listen on a port (default 5037) if running in secure mode.

    // Don't run as root if running in secure mode.

    if (should_drop_privileges()) {

        drop_capabilities_bounding_set_if_needed(jail.get());

        const bool should_drop_caps = should_drop_capabilities_bounding_set();

        if (should_drop_caps) {

            minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));

        }

        minijail_change_gid(jail.get(), AID_SHELL);

        minijail_change_uid(jail.get(), AID_SHELL);

        // minijail_enter() will abort if any priv-dropping step fails.

        minijail_enter(jail.get());

        // Whenever ambient capabilities are being used, minijail cannot

        // simultaneously drop the bounding capability set to just

        // CAP_SETUID|CAP_SETGID while clearing the inheritable, effective,

        // and permitted sets. So we need to do that in two steps.

        using ScopedCaps =

            std::unique_ptr<std::remove_pointer<cap_t>::type, std::function<void(cap_t)>>;

        ScopedCaps caps(cap_get_proc(), &cap_free);

        if (cap_clear_flag(caps.get(), CAP_INHERITABLE) == -1) {

            PLOG(FATAL) << "cap_clear_flag(INHERITABLE) failed";

        }

        if (cap_clear_flag(caps.get(), CAP_EFFECTIVE) == -1) {

            PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed";

        }

        if (cap_clear_flag(caps.get(), CAP_PERMITTED) == -1) {

            PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed";

        }

        if (cap_set_proc(caps.get()) != 0) {

            PLOG(FATAL) << "cap_set_proc() failed";

        }

        D("Local port disabled");

    } else {

        // minijail_enter() will abort if any priv-dropping step fails.

    export_header_lib_headers: ["libhealthd_headers"],

}

cc_binary {

    name: "android.hardware.health@2.0-service",

cc_defaults {

    name: "android.hardware.health@2.0-service_defaults",

    init_rc: ["android.hardware.health@2.0-service.rc"],

    vendor: true,

    relative_install_path: "hw",

    ],

}

cc_binary {

    name: "android.hardware.health@2.0-service",

    defaults: ["android.hardware.health@2.0-service_defaults"],

}

cc_binary {

    name: "android.hardware.health@2.0-service.override",

    defaults: ["android.hardware.health@2.0-service_defaults"],

    overrides: [

        "healthd",

    ],

}

cc_binary {

    name: "healthd",

    init_rc: ["healthd.rc"],

    srcs: [

        "HealthServiceHealthd.cpp",

    ],

    android.hardware.health@1.0-convert \

    libhidltransport \

    libhidlbase \

    libhwbinder \

    libhwbinder_nolto \

    libhealthstoragedefault \

    libvndksupport \

    libhealthd_charger \

    class hal

    user system

    group system

    file /dev/kmsg w

service healthd /system/bin/healthd

    class hal

    critical

    group root system wakelock