Merge "racoon: Explicitly request CAP_NET_BIND_SERVICE, CAP_NET_RAW." am: fcef899dfa Change-Id: I1c25449c267f03432060f862ac44cdc6db4bf3c2

commit: baba502ac4e2f9f07921cd5c94a0c1751e848048 [log] [tgz]
author: Jorge Lucangeli Obes <jorgelo@google.com> Mon Jan 30 18:18:32 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Mon Jan 30 18:18:32 2017 +0000
tree: 8cf61139a5eb1230d21be901465a8f1150a5849d
parent: f913916cf93f017e993eecc6a5725df27c9861b2 [diff]
parent: fcef899dfa8a801cce07701d84bece9294e201cf [diff]
diff --git a/main.c b/main.c
index c5e6736..524155a 100644
--- a/main.c
+++ b/main.c

@@ -177,10 +177,6 @@
 
 #ifdef ANDROID_CHANGES
     shutdown(control, SHUT_WR);
-    if (setuid(AID_VPN) != 0) {
-        do_plog(LLV_ERROR, "setuid(AID_VPN) failed\n");
-        exit(1);
-    }
 #endif
 
     while (1) {

diff --git a/racoon.rc b/racoon.rc
index 2feb5ae..fdb8823 100644
--- a/racoon.rc
+++ b/racoon.rc

@@ -1,8 +1,9 @@
 service racoon /system/bin/racoon
     class main
     socket racoon stream 600 system system
-    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
+    # IKE uses UDP port 500.
+    user vpn
     group vpn inet
-    capabilities NET_ADMIN
+    capabilities NET_ADMIN NET_BIND_SERVICE NET_RAW
     disabled
     oneshot
commit	baba502ac4e2f9f07921cd5c94a0c1751e848048	[log] [tgz]
author	Jorge Lucangeli Obes <jorgelo@google.com>	Mon Jan 30 18:18:32 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Mon Jan 30 18:18:32 2017 +0000
tree	8cf61139a5eb1230d21be901465a8f1150a5849d
parent	f913916cf93f017e993eecc6a5725df27c9861b2 [diff]
parent	fcef899dfa8a801cce07701d84bece9294e201cf [diff]