minijail: Allow skipping setting securebits when restricting caps
This change allows the user to optionally skip setting a subset of the
securebits that are automatically set when restricting caps.
Bug: 63069223
Test: $ gcc -static -xc -o securebits - << EOF
#include <stdio.h>
#include <sys/prctl.h>
int main()
{
printf("%x\n", prctl(PR_GET_SECUREBITS));
}
EOF
$ sudo ./minijail0 -c 1fffffffff --ambient ./securebits
2f
$ sudo ./minijail0 -c 1fffffffff --ambient -B 2f ./securebits
0
Change-Id: Ie247302bbbb35f04caa2066541a8c175f6c94976
diff --git a/system.c b/system.c
index 49f8915..9373e87 100644
--- a/system.c
+++ b/system.c
@@ -51,7 +51,7 @@
_Static_assert(SECURE_ALL_BITS == 0x55, "SECURE_ALL_BITS == 0x55.");
#endif
-int lock_securebits(void)
+int lock_securebits(uint64_t skip_mask)
{
/*
* Ambient capabilities can only be raised if they're already present
@@ -59,9 +59,12 @@
* need to lock the NO_CAP_AMBIENT_RAISE securebit, since we are already
* configuring the permitted and inheritable set.
*/
- int securebits_ret =
- prctl(PR_SET_SECUREBITS,
- SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT);
+ uint64_t securebits =
+ (SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT) & ~skip_mask;
+ if (!securebits) {
+ return 0;
+ }
+ int securebits_ret = prctl(PR_SET_SECUREBITS, securebits);
if (securebits_ret < 0) {
pwarn("prctl(PR_SET_SECUREBITS) failed");
return -1;