adb: drop capability bounding set on user builds run-as: don't require CAP_DAC_OVERRIDE. Prevent an adb spawned application from acquiring capabilities other than * CAP_NET_RAW * CAP_SETUID * CAP_SETGID The only privileged programs accessible on user builds are * /system/bin/ping * /system/bin/run-as and the capabilities above are sufficient to cover those two programs. If the kernel doesn't support file capabilities, we ignore a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could become a fatal error. Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a

commit: 080427e4e2b1b72718b660e16b6cf38b3a3c4e3f [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Feb 15 14:39:15 2013 -0800
committer: Nick Kralevich <nnk@google.com> Fri Feb 15 21:22:19 2013 -0800
tree: 8fe5959e9af28f94a8bcad9dd6837aefeaa8c1e9
parent: bcfa910611b42018db580b3459101c564f802552 [diff] [blame]
diff --git a/run-as/package.c b/run-as/package.c
index 143d647..683dae6 100644
--- a/run-as/package.c
+++ b/run-as/package.c

@@ -76,13 +76,30 @@
     struct stat  st;
     size_t  length = 0;
     void*   address = NULL;
+    gid_t   oldegid;
 
     *filesize = 0;
 
+    /*
+     * Temporarily switch effective GID to allow us to read
+     * the packages file
+     */
+
+    oldegid = getegid();
+    if (setegid(AID_SYSTEM) < 0) {
+        return NULL;
+    }
+
     /* open the file for reading */
     fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
-    if (fd < 0)
+    if (fd < 0) {
         return NULL;
+    }
+
+    /* restore back to our old egid */
+    if (setegid(oldegid) < 0) {
+        goto EXIT;
+    }
 
     /* get its size */
     ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
commit	080427e4e2b1b72718b660e16b6cf38b3a3c4e3f	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Feb 15 14:39:15 2013 -0800
committer	Nick Kralevich <nnk@google.com>	Fri Feb 15 21:22:19 2013 -0800
tree	8fe5959e9af28f94a8bcad9dd6837aefeaa8c1e9
parent	bcfa910611b42018db580b3459101c564f802552 [diff] [blame]