minijail: Avoid setting PR_SET_KEEPCAPS if that bit is locked This change avoids setting PR_SET_KEEPCAPS if the bit is locked and we are using ambient capabilities. This allows using minijail from an already-minijailed process. Bug: 112030238 Test: make tests Change-Id: Iafd5d2409dcb526048b84edfc8b8f29f30d0dd4c

commit: 89cbc32f005628664e7e5dcffd23efc974fa0a52 [log] [tgz]
author: Luis Hector Chavez <lhchavez@google.com> Mon Aug 06 11:31:15 2018 -0700
committer: Treehugger Robot <treehugger-gerrit@google.com> Tue Aug 07 00:43:43 2018 +0000
tree: 96447c249b6aebb72fde343b78e6c94a58029b33
parent: c2b8635b0c6fe9a8be860df4b32edc6199a3d88d [diff] [blame]
diff --git a/system.c b/system.c
index 434980a..9852be7 100644
--- a/system.c
+++ b/system.c

@@ -44,6 +44,14 @@
 _Static_assert(SECURE_ALL_BITS == 0x55, "SECURE_ALL_BITS == 0x55.");
 #endif
 
+int secure_keep_caps_locked(void)
+{
+	int bits = prctl(PR_GET_SECUREBITS);
+	if (bits < 0)
+		return 0;
+	return bits & SECBIT_KEEP_CAPS_LOCKED;
+}
+
 int secure_noroot_set_and_locked(uint64_t mask)
 {
 	return (mask & (SECBIT_NOROOT | SECBIT_NOROOT_LOCKED)) ==
commit	89cbc32f005628664e7e5dcffd23efc974fa0a52	[log] [tgz]
author	Luis Hector Chavez <lhchavez@google.com>	Mon Aug 06 11:31:15 2018 -0700
committer	Treehugger Robot <treehugger-gerrit@google.com>	Tue Aug 07 00:43:43 2018 +0000
tree	96447c249b6aebb72fde343b78e6c94a58029b33
parent	c2b8635b0c6fe9a8be860df4b32edc6199a3d88d [diff] [blame]