minijail: Unconditionally include securebits.h
The header has been available for a long while, so it is no longer
necessary to pretend that we can compile without it. Point in case -
compilation with HAVE_SECUIREBITS_H was broken due to unprotected
SECBIT_ references already.
Bug: None
TEST=Compiles.
Change-Id: I91e5587447178f36d5e1b0cd773bfc468fda276d
diff --git a/Android.bp b/Android.bp
index 93c4543..7bce0f1 100644
--- a/Android.bp
+++ b/Android.bp
@@ -35,7 +35,6 @@
cflags: [
"-D_FILE_OFFSET_BITS=64",
"-DALLOW_DEBUG_LOGGING",
- "-DHAVE_SECUREBITS_H",
"-Wall",
"-Werror",
],
diff --git a/Makefile b/Makefile
index 093ecc4..9a13d8e 100644
--- a/Makefile
+++ b/Makefile
@@ -10,10 +10,6 @@
PRELOADPATH = \"$(LIBDIR)/$(PRELOADNAME)\"
CPPFLAGS += -DPRELOADPATH="$(PRELOADPATH)"
-ifneq ($(HAVE_SECUREBITS_H),no)
-CPPFLAGS += -DHAVE_SECUREBITS_H
-endif
-
ifeq ($(USE_seccomp),no)
CPPFLAGS += -DUSE_SECCOMP_SOFTFAIL
endif
diff --git a/system.c b/system.c
index 63f22d8..7527653 100644
--- a/system.c
+++ b/system.c
@@ -20,17 +20,21 @@
#include <sys/statvfs.h>
#include <unistd.h>
+#include <linux/securebits.h>
+
#include "util.h"
-#ifdef HAVE_SECUREBITS_H
-#include <linux/securebits.h>
-#else
-#define SECURE_ALL_BITS 0x55
-#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
+/*
+ * SECBIT_NO_CAP_AMBIENT_RAISE was added in kernel 4.3, so fill in the
+ * definition if the securebits header doesn't provide it.
+ */
+#ifndef SECBIT_NO_CAP_AMBIENT_RAISE
+#define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(6))
#endif
-#define SECURE_BITS_NO_AMBIENT 0x15
-#define SECURE_LOCKS_NO_AMBIENT (SECURE_BITS_NO_AMBIENT << 1)
+#ifndef SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED
+#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED (issecure_mask(7))
+#endif
/*
* Assert the value of SECURE_ALL_BITS at compile-time.
@@ -67,7 +71,8 @@
* configuring the permitted and inheritable set.
*/
unsigned long securebits =
- (SECURE_BITS_NO_AMBIENT | SECURE_LOCKS_NO_AMBIENT) & ~skip_mask;
+ (SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED) &
+ ~skip_mask;
if (!securebits) {
warn("not locking any securebits");
return 0;