Cross Reference: /system/core/init/capabilities.cpp

History log of /system/core/init/capabilities.cpp
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
de6bd50d4238d19ec401127bcf2321dc679d908d	14-Feb-2018	Tom Cherry <tomcherry@google.com>	init: add host side parser for init Create a host side parser for init such that init rc files can be verified for syntax correctness before being used on the device. Bug: 36970783 Test: run the parser on init files on host Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda /system/core/init/capabilities.cpp
94fb5b0bef4ff7bd5c610ed5ebfad9c0ba41c62f	17-Nov-2017	Luis Hector Chavez <lhchavez@google.com>	init: Drop inheritable capabilities when switching uids This change explicitly drops all inheritable capabilities (and, by extension, ambient capabilities) when there are no explicit capabilities being set by a service and the user is changed. This prevents Android running in a container from accidentally granting extra capabilities to services. Bug: 69320306 Test: aosp_sailfish still boots Test: sailfish:/ $ grep Cap /proc/`pidof android.hardware.audio@2.0-service`/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Test: sailfish:/ $ grep Cap /proc/`pidof logd`/status CapInh: 0000000000000000 CapPrm: 0000000440000000 CapEff: 0000000440000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 Test: Android in Chrome OS still boots Test: localhost ~ # grep Cap /proc/`pidof android.hardware.audio@2.0-service`/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 000000006daefdff CapAmb: 0000000000000000 Test: localhost ~ # grep Cap /proc/`pidof logd`/status CapInh: 0000000000000000 CapPrm: 0000000040000000 CapEff: 0000000040000000 CapBnd: 000000006daefdff CapAmb: 0000000000000000 Change-Id: I9218f2e27ff4fb4d91d50f9a98c0fdb4e272952c /system/core/init/capabilities.cpp
7bb360230d01f2eb2194cd362874ef199517a064	29-Jun-2017	Luis Hector Chavez <lhchavez@google.com>	init: Use ScopedCaps for cap_init() This change homogenizes the use of std::unique_ptr for storing capabilities in system/core/. Bug: None Test: m Change-Id: I0a95f87a27b0261e9d321841d5140fc000473293 /system/core/init/capabilities.cpp
81f5d3ebef2c3789737bf718fc2a2cdd7b9e8b33	22-Jun-2017	Tom Cherry <tomcherry@google.com>	init: create android::init:: namespace With some small fixups along the way Test: Boot bullhead Test: init unit tests Change-Id: I7beaa473cfa9397f845f810557d1631b4a462d6a /system/core/init/capabilities.cpp
f3f824ee42892fb69cb0d9b0557cd9c5aed357d2	15-Dec-2016	Jorge Lucangeli Obes <jorgelo@google.com>	capabilities: Check ambient caps, last valid runtime cap. Partners have expressed interest in using the 'capabilities' keyword in init, so make the code more resilient: -Check that ambient capabilities are supported by the kernel. -Check that the last valid cap at runtime is not higher than what's in kernel headers. -Check that the user is not requesting a capability present in kernel headers but not supported by the kernel at runtime. -Don't attempt to drop bounding set capabilities not supported at runtime. This CL also fixes a small bug where < should have been used instead of <=, and uses 'static' instead of anonymous namespaces. Bug: 32438163 Test: Use a test service that uses capabilities. Test: Apply in internal tree and test with angler and rild. Change-Id: Ia271cc7eb389d1d526d61f897261e4bac4d19e5d /system/core/init/capabilities.cpp
24b29132a017f7fbfd009c3e6aec499d1b815dbf	27-Oct-2016	Jorge Lucangeli Obes <jorgelo@google.com>	init: Add support for ambient capabilities. Ambient capabilities are inherited in a straightforward way across execve(2): " If you are nonroot but you have a capability, you can add it to pA. If you do so, your children get that capability in pA, pP, and pE. For example, you can set pA = CAP_NET_BIND_SERVICE, and your children can automatically bind low-numbered ports. " This will allow us to get rid of the special meaning for AID_NET_ADMIN and AID_NET_RAW, and if desired, to reduce the use of file capabilities (which grant capabilities to any process that can execute the file). An additional benefit of the latter is that a single .rc file can specify all properties for a service, without having to rely on a separate file for file capabilities. Ambient capabilities are supported starting with kernel 4.3 and have been backported to all Android common kernels back to 3.10. I chose to not use Minijail here (though I'm still using libcap) for two reasons: 1-The Minijail code is designed to work in situations where the process is holding any set of capabilities, so it's more complex. The situation when forking from init allows for simpler code. 2-The way Minijail is structured right now, we would not be able to make the required SELinux calls between UID/GID dropping and other priv dropping code. In the future, it will make sense to add some sort of "hook" to Minijail so that it can be used in situations where we want to do other operations between some of the privilege-dropping operations carried out by Minijail. Bug: 32438163 Test: Use sample service. Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb /system/core/init/capabilities.cpp