adb: drop capability bounding set on user builds
run-as: don't require CAP_DAC_OVERRIDE.
Prevent an adb spawned application from acquiring capabilities
other than
* CAP_NET_RAW
* CAP_SETUID
* CAP_SETGID
The only privileged programs accessible on user builds are
* /system/bin/ping
* /system/bin/run-as
and the capabilities above are sufficient to cover those
two programs.
If the kernel doesn't support file capabilities, we ignore
a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could
become a fatal error.
Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a
diff --git a/adb/adb.c b/adb/adb.c
index 32aff2c..949e5ea 100644
--- a/adb/adb.c
+++ b/adb/adb.c
@@ -1184,6 +1184,33 @@
}
#if !ADB_HOST
+
+static void drop_capabilities_bounding_set_if_needed() {
+#ifdef ALLOW_ADBD_ROOT
+ char value[PROPERTY_VALUE_MAX];
+ property_get("ro.debuggable", value, "");
+ if (strcmp(value, "1") == 0) {
+ return;
+ }
+#endif
+ int i;
+ for (i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+ if ((i == CAP_NET_RAW) || (i == CAP_SETUID) || (i == CAP_SETGID)) {
+ // CAP_NET_RAW needed by /system/bin/ping
+ // CAP_SETUID CAP_SETGID needed by /system/bin/run-as
+ continue;
+ }
+ int err = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+
+ // Some kernels don't have file capabilities compiled in, and
+ // prctl(PR_CAPBSET_DROP) returns EINVAL. Don't automatically
+ // die when we see such misconfigured kernels.
+ if ((err < 0) && (errno != EINVAL)) {
+ exit(1);
+ }
+ }
+}
+
static int should_drop_privileges() {
#ifndef ALLOW_ADBD_ROOT
return 1;
@@ -1278,6 +1305,8 @@
exit(1);
}
+ drop_capabilities_bounding_set_if_needed();
+
/* add extra groups:
** AID_ADB to access the USB driver
** AID_LOG to read system logs (adb logcat)