Zygote: limit the bounding capability set to CAP_NET_RAW

Prevent a zygote spawned application from acquiring
capabilities other than CAP_NET_RAW.  The only Zygote
accessible program on Android which grants capabilities
is /system/bin/ping (CAP_NET_RAW), so we don't need to
keep the other capabilities in our bounding set.

Change-Id: Ifbfdbaf3d32bc6237b6e1fc57766ca13baae7bde

diff --git a/vm/native/dalvik_system_Zygote.cpp b/vm/native/dalvik_system_Zygote.cpp
index b2b322e..85fda60 100644 (file)
--- a/vm/native/dalvik_system_Zygote.cpp
+++ b/vm/native/dalvik_system_Zygote.cpp
@@ -37,6 +37,7 @@
 #include <cutils/multiuser.h>
 #include <sched.h>
 #include <sys/utsname.h>
+#include <linux/capability.h>
 
 #if defined(HAVE_PRCTL)
 # include <sys/prctl.h>
@@ -584,6 +585,18 @@ static pid_t forkAndSpecializeCommon(const u4* args, bool isSystemServer)
             }
         }
 
+        for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+            if (i == CAP_NET_RAW) {
+                // Don't break /system/bin/ping
+                continue;
+            }
+            err = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+            if (err < 0) {
+                ALOGE("PR_CAPBSET_DROP %d failed: %s", i, strerror(errno));
+                dvmAbort();
+            }
+        }
+
 #endif /* HAVE_ANDROID_OS */
 
         if (mountMode != MOUNT_EXTERNAL_NONE) {