commit | c74072217cf82b4abe79d4f6b5570aeb32f383d2 | [log] [tgz] |
---|---|---|
author | Jorge Lucangeli Obes <jorgelo@google.com> | Thu Jan 12 11:58:18 2017 -0500 |
committer | Jorge Lucangeli Obes <jorgelo@google.com> | Thu Jan 12 12:07:35 2017 -0500 |
tree | ef4c2e16e5a165c410dfabfeffd203eb04be1265 | |
parent | 7041ff1e4cf9e97fb31410b8823719c7bae158a1 [diff] |
Remove NET_ADMIN capability from mtpd. I decided to take a look at the SELinux configs for the VPN daemons. CAP_NET_ADMIN is not allowed by the SELinux policy at: https://android.googlesource.com/platform/system/sepolicy/+/master/public/mtp.te#9 "allow mtp self:capability net_raw;" A quick grep in the mtpd source code shows no use of ioctl, which is the syscall used to configure interfaces (and what usually requires NET_ADMIN). Remove it, since it could never have worked. The line in question was added in 2013: https://android.googlesource.com/platform/system/sepolicy/+blame/master/public/mtp.te#9 Bug: 33938230 Test: 'start mtpd', 'cat /proc/`pgrep mtpd`/status | grep Cap'. Test: "Cap" lines show correct mask: 0000000000002000 Test: Add a VPN, enable it, mtpd starts correctly. Change-Id: Iee689736e3f4fe53ad61da706e98e8416d775485