Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 3452ee2bb0a2a941153f017dd45addaf03cea1ee^! / . / libs / capabilities / Android.bp
commit3452ee2bb0a2a941153f017dd45addaf03cea1ee[log] [tgz]
authorNikita Ioffe <ioffe@google.com>Thu Dec 15 00:31:56 2022 +0000
committerNikita Ioffe <ioffe@google.com>Mon Dec 19 17:04:00 2022 +0000
tree68385dbd1f2a465df8544559139cc00c201f1a95
parent1806205e1dd43a8a46fcd969d68fbd56cd61a409 [diff] [blame]
Drop inheritable caps and caps bounding set before executing payload

This change basically does the following things:

* Add rust_bindgen for the libcap.
* Add libcap_rust wrapping the bindgen and providing
  drop_inhertiable_caps and drop_bounding_set APIs;
* Call the libcap_rust APIs before execve'ing into the payload binary.
  This is done using the CommandExt::pre_exec function.

Additionally this change adds basic tests for libcap_rust library and
the e2e test to verify that binary running payload have zero
capabilities.

Bug: 243633980
Test: atest libcap_rust.test
Test: atest MicrodroidTestApp
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: enter microdroid shell & check microdroid_launcher has empty caps
Change-Id: Ibfb45ec912df0ad0a1db62b24c22fbe5a61ff5f3

diff --git a/libs/capabilities/Android.bp b/libs/capabilities/Android.bp
new file mode 100644
index 0000000..db3f4d4
--- /dev/null
+++ b/libs/capabilities/Android.bp

@@ -0,0 +1,62 @@
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_bindgen {
+    name: "libcap_bindgen",
+    edition: "2021",
+    wrapper_src: "bindgen/libcap.h",
+    crate_name: "cap_bindgen",
+    source_stem: "bindings",
+    shared_libs: ["libcap"],
+    bindgen_flags: [
+        "--default-enum-style rust",
+    ],
+    visibility: [
+        "//packages/modules/Virtualization:__subpackages__",
+    ],
+}
+
+rust_test {
+    name: "libcap_bindgen_test",
+    srcs: [":libcap_bindgen"],
+    crate_name: "cap_bindgen_test",
+    test_suites: ["general-tests"],
+    auto_gen_config: true,
+    clippy_lints: "none",
+    lints: "none",
+}
+
+rust_defaults {
+    name: "libcap_rust.defaults",
+    crate_name: "cap",
+    srcs: ["src/caps.rs"],
+    rustlibs: [
+        "libanyhow",
+        "libcap_bindgen",
+        "liblibc",
+        "libnix",
+        "libscopeguard",
+    ],
+    edition: "2021",
+    prefer_rlib: true,
+    multilib: {
+        lib32: {
+            enabled: false,
+        },
+    },
+    shared_libs: [
+        "libcap",
+    ],
+}
+
+rust_library {
+    name: "libcap_rust",
+    defaults: ["libcap_rust.defaults"],
+}
+
+rust_test {
+    name: "libcap_rust.test",
+    defaults: ["libcap_rust.defaults"],
+    test_suites: ["general-tests"],
+}