From 921e9aea72bc2aa99a52ccdb90573bbd3bf3508f Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 13 Feb 2013 10:39:34 -0800
Subject: [PATCH] Zygote: limit the bounding capability set to CAP_NET_RAW

Prevent a zygote spawned application from acquiring
capabilities other than CAP_NET_RAW.  The only Zygote
accessible program on Android which grants capabilities
is /system/bin/ping (CAP_NET_RAW), so we don't need to
keep the other capabilities in our bounding set.

Change-Id: Ifbfdbaf3d32bc6237b6e1fc57766ca13baae7bde
---
 vm/native/dalvik_system_Zygote.cpp | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/vm/native/dalvik_system_Zygote.cpp b/vm/native/dalvik_system_Zygote.cpp
index b2b322ef6..85fda60e6 100644
--- a/vm/native/dalvik_system_Zygote.cpp
+++ b/vm/native/dalvik_system_Zygote.cpp
@@ -37,6 +37,7 @@
 #include <cutils/multiuser.h>
 #include <sched.h>
 #include <sys/utsname.h>
+#include <linux/capability.h>
 
 #if defined(HAVE_PRCTL)
 # include <sys/prctl.h>
@@ -584,6 +585,18 @@ static pid_t forkAndSpecializeCommon(const u4* args, bool isSystemServer)
             }
         }
 
+        for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+            if (i == CAP_NET_RAW) {
+                // Don't break /system/bin/ping
+                continue;
+            }
+            err = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+            if (err < 0) {
+                ALOGE("PR_CAPBSET_DROP %d failed: %s", i, strerror(errno));
+                dvmAbort();
+            }
+        }
+
 #endif /* HAVE_ANDROID_OS */
 
         if (mountMode != MOUNT_EXTERNAL_NONE) {
-- 
2.11.0