commit a2ceaf6b8be5cb9fdc5fa94ae628b5f617813197
author Robert Sesek <rsesek@google.com> Wed Sep 21 17:01:36 2016 -0400
committer Robert Sesek <rsesek@google.com> Mon Oct 31 10:33:36 2016 -0400
tree a24d35a0fa4589f88d6f0b74a2ae49ecff0e2559
parent b5ce6f02dd11b42c03884dd9531c6c8a80bcecda

Add fs_config entries for the webview_zygote.

The webview_zygote is a non-root zygote process that creates isolated_app
children for rendering web content. It needs:
- CAP_SETUID and CAP_SETGID to change the UID of the new child process.
- CAP_SETPCAP to clear the capability bounding set after forking.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I986fa04be54e812f5dd2afa14e5d2d3e474e2b10

libcutils/fs_config.c

diff --git a/libcutils/fs_config.c b/libcutils/fs_config.c
index 9908637..3c3ceb4 100644
--- a/libcutils/fs_config.c
+++ b/libcutils/fs_config.c
@@ -149,6 +149,14 @@
     /* Support wifi_hal_legacy administering a network interface. */
     { 00755, AID_WIFI,      AID_WIFI,     CAP_MASK_LONG(CAP_NET_ADMIN) | CAP_MASK_LONG(CAP_NET_RAW),    "system/bin/hw/android.hardware.wifi@1.0-service" },
 
+    /* A non-privileged zygote that spawns isolated processes for web rendering. */
+    { 0750,  AID_ROOT,      AID_ROOT,      CAP_MASK_LONG(CAP_SETUID) |
+                                           CAP_MASK_LONG(CAP_SETGID) |
+                                           CAP_MASK_LONG(CAP_SETPCAP), "system/bin/webview_zygote32" },
+    { 0750,  AID_ROOT,      AID_ROOT,      CAP_MASK_LONG(CAP_SETUID) |
+                                           CAP_MASK_LONG(CAP_SETGID) |
+                                           CAP_MASK_LONG(CAP_SETPCAP), "system/bin/webview_zygote64" },
+
     { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/uncrypt" },
     { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/install-recovery.sh" },
     { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/*" },