Anonymous avatar Anonymous committed c0ecb5b

Zygote: limit the bounding capability set to CAP_NET_RAW

Prevent a zygote spawned application from acquiring
capabilities other than CAP_NET_RAW. The only Zygote
accessible program on Android which grants capabilities
is /system/bin/ping (CAP_NET_RAW), so we don't need to
keep the other capabilities in our bounding set.

If the kernel doesn't support file capabilities, we
end up printing approx 30 lines of warning messages. Hopefully
this will encourage kernel developers to upgrade. In a future
change, we can turn a prctl(PR_CAPBSET_DROP) failure into
a fatal error.

Change-Id: I8560fa5ad125bf31f0d13be513431697bc7d22bb

Comments (0)

Files changed (1)


 #include <cutils/multiuser.h>
 #include <sched.h>
 #include <sys/utsname.h>
+#include <linux/capability.h>
 #if defined(HAVE_PRCTL)
 # include <sys/prctl.h>
+        for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+            if (i == CAP_NET_RAW) {
+                // Don't break /system/bin/ping
+                continue;
+            }
+            err = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+            if (err < 0) {
+                ALOGW("PR_CAPBSET_DROP %d failed: %s. "
+                      "Please make sure your kernel is compiled with file "
+                      "capabilities support enabled.",
+                      i, strerror(errno));
+            }
+        }
 #endif /* HAVE_ANDROID_OS */
         if (mountMode != MOUNT_EXTERNAL_NONE) {
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.