Merge "Zygote: limit the bounding capability set to CAP_NET_RAW"

author Nick Kralevich <nnk@google.com>

Thu, 14 Feb 2013 18:50:37 +0000 (18:50 +0000)

committer Gerrit Code Review <noreply-gerritcodereview@google.com>

Thu, 14 Feb 2013 18:50:37 +0000 (18:50 +0000)
author Nick Kralevich <nnk@google.com>
Thu, 14 Feb 2013 18:50:37 +0000 (18:50 +0000)
committer Gerrit Code Review <noreply-gerritcodereview@google.com>
Thu, 14 Feb 2013 18:50:37 +0000 (18:50 +0000)
diff --git a/vm/native/dalvik_system_Zygote.cpp b/vm/native/dalvik_system_Zygote.cpp

index b2b322e..6a03468 100644 (file)
--- a/vm/native/dalvik_system_Zygote.cpp
+++ b/vm/native/dalvik_system_Zygote.cpp
@@ -37,6 +37,7 @@
  #include <cutils/multiuser.h>
  #include <sched.h>
  #include <sys/utsname.h>
+#include <linux/capability.h>
  
  #if defined(HAVE_PRCTL)
  # include <sys/prctl.h>
@@ -584,6 +585,20 @@ static pid_t forkAndSpecializeCommon(const u4* args, bool isSystemServer)
              }
          }
  
+        for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+            if (i == CAP_NET_RAW) {
+                // Don't break /system/bin/ping
+                continue;
+            }
+            err = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+            if (err < 0) {
+                ALOGW("PR_CAPBSET_DROP %d failed: %s. "
+                      "Please make sure your kernel is compiled with file "
+                      "capabilities support enabled.",
+                      i, strerror(errno));
+            }
+        }
+
  #endif /* HAVE_ANDROID_OS */
  
          if (mountMode != MOUNT_EXTERNAL_NONE) {
author	Nick Kralevich <nnk@google.com>
	Thu, 14 Feb 2013 18:50:37 +0000 (18:50 +0000)
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>
	Thu, 14 Feb 2013 18:50:37 +0000 (18:50 +0000)