)]}' { "commit": "f1e3bfff40560c311c00474e640f59fc950acf5c", "tree": "befa88fb8745c507c88725fd8f7a87e3a37139d3", "parents": [ "cc2e7c21a29ac0a68657fe357d02283eaf08527e" ], "author": { "name": "Nikita Ioffe", "email": "ioffe@google.com", "time": "Thu Dec 22 16:05:40 2022 +0000" }, "committer": { "name": "Nikita Ioffe", "email": "ioffe@google.com", "time": "Thu Dec 22 22:08:49 2022 +0000" }, "message": "host_init_verifier: add check for root services and linux capabilities\n\nIf a service that runs under root doesn\u0027t have the capabilities field in\nit\u0027s definition, then it will inherit all the capabilities that init\nhas.\n\nThis change adds a linter to detect such services and ask developers to\nexplicitly specify capabilities that their service needs. If service\ndoesn\u0027t require any capabilities then empty capabilities fields should\nbe added in the service definition.\n\nThe actual access control list on what capabilities a process can use is\ncontrolled by the SELinux, so inheriting all the init capabilities is\nnot a security issue here. However, asking services to explicitly\nspecify the capabilities they need is a good defense-in-depth mechanism.\n\nSo far this linter only checks the services on /system partition.\n\nAll currently offending services are added to the exempt list. I will\nwork on fixing some of them in the follow-up changes.\n\nBug: 249796710\nTest: m dist\nChange-Id: I2db06af165ae320a9c5086756067dceef20cd28d\n", "tree_diff": [ { "type": "modify", "old_id": "db127d3f2b27c23f9007c8ef72045de97ac54f3a", "old_mode": 33188, "old_path": "init/host_init_verifier.cpp", "new_id": "d015ae9c857f364b5a7060ca7e2c62a2739ac898", "new_mode": 33188, "new_path": "init/host_init_verifier.cpp" }, { "type": "modify", "old_id": "f9749d2075f1727396dbab43c684f1ea07b7df38", "old_mode": 33188, "old_path": "init/service.h", "new_id": "9cc292093f664c0d41758bf9cadcc2357e87fd53", "new_mode": 33188, "new_path": "init/service.h" } ] }