Check netutils_wrapper don't use file capabilities The netutils_wrapper is called by a variety of vendor processes. If the netutils_wrapper is granted CAP_NET_ADMIN by filesystem capabilities, it may also grant such capability to all vendor domains that run this executable. To prevent that, adding a test to make sure the netutils_wrapper binary doesn't have filesystem capabilities setup. Bug: 72644927 Test: atest netd_integration_test Change-Id: I856b0782bcb3f84be2925c995a6f8b64d16ffe33

commit: 661654739d1b73a8054de7002e88ce8961ee74f5 [log] [tgz]
author: Chenbo Feng <fengc@google.com> Mon Jul 23 19:05:56 2018 -0700
committer: Chenbo Feng <fengc@google.com> Tue Jul 31 12:36:47 2018 -0700
tree: 95b7017009125d431325b7449d2c2dc8784360f4
parent: bdce8eb59d79ed53be0aaac0432492eee39aed4d [diff] [blame]
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index 51d31aa..5d09346 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp

@@ -21,6 +21,7 @@
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/capability.h>
 #include <unistd.h>
 
 #include <cutils/sockets.h>
@@ -1323,3 +1324,9 @@
     EXPECT_NE(0, getaddrinfo(host_name, nullptr, nullptr, &ai_result));
     EXPECT_EQ(0U, GetNumQueries(dns, host_name));
 }
+
+TEST(NetUtilsWrapperTest, TestFileCapabilities) {
+    errno = 0;
+    ASSERT_EQ(NULL, cap_get_file("/system/bin/netutils-wrapper-1.0"));
+    ASSERT_EQ(ENODATA, errno);
+}
commit	661654739d1b73a8054de7002e88ce8961ee74f5	[log] [tgz]
author	Chenbo Feng <fengc@google.com>	Mon Jul 23 19:05:56 2018 -0700
committer	Chenbo Feng <fengc@google.com>	Tue Jul 31 12:36:47 2018 -0700
tree	95b7017009125d431325b7449d2c2dc8784360f4
parent	bdce8eb59d79ed53be0aaac0432492eee39aed4d [diff] [blame]