Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Connectivity / b64249ec5367e5ab174b1688c1125af14d8a8cd6^! / .
commitb64249ec5367e5ab174b1688c1125af14d8a8cd6[log] [tgz]
authorMaciej Żenczykowski <maze@google.com>Fri Oct 22 18:31:50 2021 -0700
committerMaciej Żenczykowski <maze@google.com>Thu Nov 18 19:08:50 2021 +0000
treea392b743864c90e41797d3b2c3ba119f07c9f360
parent7c87aaa50a8c0068d91b8980ec3cab57916d5258 [diff]
simplify clatd permission dropping logic

There's no danger here, because we drop privileges
before we start processing packets.

This should also make clatd fully functional on 4.9-q
kernels that still have the Paranoid Android patchset
(by creating all sockets prior to dropping netd's
uid and capabilities).

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I14cab836907be8bbedc0812cec277808e9f3f91f

diff --git a/clatd.c b/clatd.c
index bd2bf62..7ec3454 100644
--- a/clatd.c
+++ b/clatd.c

@@ -155,18 +155,16 @@
   }
 }
 
-/* function: drop_root_but_keep_caps
- * drops root privs but keeps the needed capabilities
+/* function: drop_root_and_caps
+ * drops root privs and all capabilities
  */
-void drop_root_but_keep_caps() {
+void drop_root_and_caps() {
   // see man setgroups: this drops all supplementary groups
   if (setgroups(0, NULL) < 0) {
     logmsg(ANDROID_LOG_FATAL, "setgroups failed: %s", strerror(errno));
     exit(1);
   }
 
-  prctl(PR_SET_KEEPCAPS, 1);
-
   if (setresgid(AID_CLAT, AID_CLAT, AID_CLAT) < 0) {
     logmsg(ANDROID_LOG_FATAL, "setresgid failed: %s", strerror(errno));
     exit(1);
@@ -176,8 +174,7 @@
     exit(1);
   }
 
-  // keep CAP_NET_RAW capability to open raw socket.
-  set_capability((1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW));
+  set_capability(0);
 }
 
 /* function: open_sockets

diff --git a/clatd.h b/clatd.h
index 34fa885..75ffea3 100644
--- a/clatd.h
+++ b/clatd.h

@@ -40,7 +40,7 @@
 
 void configure_tun_ip(const struct tun_data *tunnel, const char *v4_addr, int mtu);
 void set_capability(uint64_t target_cap);
-void drop_root_but_keep_caps();
+void drop_root_and_caps();
 void open_sockets(struct tun_data *tunnel, uint32_t mark);
 int ipv6_address_changed(const char *interface);
 int configure_clat_ipv6_address(const struct tun_data *tunnel, const char *interface,

diff --git a/main.c b/main.c
index 52e22ac..d452985 100644
--- a/main.c
+++ b/main.c

@@ -123,19 +123,13 @@
          plat_prefix ? plat_prefix : "(none)", v4_addr ? v4_addr : "(none)",
          v6_addr ? v6_addr : "(none)");
 
-  // run under a regular user but keep needed capabilities
-  drop_root_but_keep_caps();
-
   // open our raw sockets before dropping privs
   open_sockets(&tunnel, mark);
 
-  // keeps only admin capability
-  set_capability(1 << CAP_NET_ADMIN);
-
   configure_interface(uplink_interface, plat_prefix, v4_addr, v6_addr, &tunnel, mark);
 
-  // Drop all remaining capabilities.
-  set_capability(0);
+  // run under a regular user with no capabilities
+  drop_root_and_caps();
 
   // Loop until someone sends us a signal or brings down the tun interface.
   if (signal(SIGTERM, stop_loop) == SIG_ERR) {