Google Git
Sign in
android / platform / external / minijail / e520019e5e727bae72c78ff7b90fb3081334eada^! / .
commite520019e5e727bae72c78ff7b90fb3081334eada[log] [tgz]
authorMattias Nissler <mnissler@google.com>Thu Oct 18 12:29:40 2018 +0200
committerTreehugger Robot <treehugger-gerrit@google.com>Wed Feb 06 12:29:15 2019 +0000
treef92d820188923ec67bb956b9f61e44f579b296df
parentd2c951dbd601ef19616f5bf8226ee8af062e1ed7 [diff]
minijail: Unconditionally include securebits.h

The header has been available for a long while, so it is no longer
necessary to pretend that we can compile without it. Point in case -
compilation with HAVE_SECUIREBITS_H was broken due to unprotected
SECBIT_ references already.

Bug: None
TEST=Compiles.

Change-Id: I91e5587447178f36d5e1b0cd773bfc468fda276d

diff --git a/Android.bp b/Android.bp
index 93c4543..7bce0f1 100644
--- a/Android.bp
+++ b/Android.bp

@@ -35,7 +35,6 @@
     cflags: [
         "-D_FILE_OFFSET_BITS=64",
         "-DALLOW_DEBUG_LOGGING",
-        "-DHAVE_SECUREBITS_H",
         "-Wall",
         "-Werror",
     ],

diff --git a/Makefile b/Makefile
index 093ecc4..9a13d8e 100644
--- a/Makefile
+++ b/Makefile

@@ -10,10 +10,6 @@
 PRELOADPATH = \"$(LIBDIR)/$(PRELOADNAME)\"
 CPPFLAGS += -DPRELOADPATH="$(PRELOADPATH)"
 
-ifneq ($(HAVE_SECUREBITS_H),no)
-CPPFLAGS += -DHAVE_SECUREBITS_H
-endif
-
 ifeq ($(USE_seccomp),no)
 CPPFLAGS += -DUSE_SECCOMP_SOFTFAIL
 endif

diff --git a/system.c b/system.c
index 63f22d8..7527653 100644
--- a/system.c
+++ b/system.c

@@ -20,17 +20,21 @@
 #include <sys/statvfs.h>
 #include <unistd.h>
 
+#include <linux/securebits.h>
+
 #include "util.h"
 
-#ifdef HAVE_SECUREBITS_H
-#include <linux/securebits.h>
-#else
-#define SECURE_ALL_BITS 0x55
-#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
+/*
+ * SECBIT_NO_CAP_AMBIENT_RAISE was added in kernel 4.3, so fill in the
+ * definition if the securebits header doesn't provide it.
+ */
+#ifndef SECBIT_NO_CAP_AMBIENT_RAISE
+#define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(6))
 #endif
 
-#define SECURE_BITS_NO_AMBIENT 0x15
-#define SECURE_LOCKS_NO_AMBIENT (SECURE_BITS_NO_AMBIENT << 1)
+#ifndef SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED
+#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED (issecure_mask(7))
+#endif
 
 /*
  * Assert the value of SECURE_ALL_BITS at compile-time.
@@ -67,7 +71,8 @@
 	 * configuring the permitted and inheritable set.
 	 */
 	unsigned long securebits =
-	    (SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT) & ~skip_mask;
+	    (SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED) &
+	    ~skip_mask;
 	if (!securebits) {
 		warn("not locking any securebits");
 		return 0;