Google Git
Sign in
android / platform / external / minijail / refs/tags/android-o-mr1-iot-release-1.0.0
tag52e798bc48993435d62890f44197b9e4304a4416
taggerThe Android Open Source Project <initial-contribution@android.com>Fri May 04 11:06:23 2018 -0700
object542342125831c69eb9c80265cd865250579fa19d 
Android Things LTS v1.0.0 (4760714)
commit542342125831c69eb9c80265cd865250579fa19d[log] [tgz]
authorJorge Lucangeli Obes <jorgelo@google.com>Thu Apr 26 11:52:15 2018 -0400
committerJorge Lucangeli Obes <jorgelo@google.com>Thu Apr 26 15:40:14 2018 -0400
tree3e9522afb9264ae5bc35a9360048aae6acd4560e
parent9dd13fd059ffe080c55f60ab98fbecdc7a3ed7ec [diff]
Skip dropping the bounding set without SECURE_NOROOT.

If we're asked to skip setting *and* locking the SECURE_NOROOT
securebit, also skip dropping the bounding set. If the caller wants to
regain all capabilities when executing a set-user-ID-root program,
allow them to do so. The default behavior (i.e. the behavior without
|securebits_skip_mask| set) will still put the jailed process tree in a
capabilities-only environment.

This will allow giving powerd on Chrome OS some capabilities without
breaking other things.

Bug: 78629772
Test: New unit tests.
Test: Ad-hoc with fork+exec program + setuid program + -B 0x3
Test: Setuid program is able to keep all caps.

Change-Id: I36f79a42666720a65d88ec48454b56695f25b64b
5 files changed
tree: 3e9522afb9264ae5bc35a9360048aae6acd4560e
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. CleanSpec.mk
  12. common.mk
  13. CPPLINT.cfg
  14. elfparse.c
  15. elfparse.h
  16. gen_constants-inl.h
  17. gen_constants.c
  18. gen_constants.sh
  19. gen_syscalls.c
  20. gen_syscalls.sh
  21. get_googletest.sh
  22. HACKING
  23. libconstants.h
  24. libminijail-private.h
  25. libminijail.c
  26. libminijail.h
  27. libminijail.pc.in
  28. libminijail_unittest.cc
  29. libminijailpreload.c
  30. libsyscalls.h
  31. LICENSE
  32. Makefile
  33. minijail0.1
  34. minijail0.5
  35. minijail0.c
  36. minijail0_cli.c
  37. minijail0_cli.h
  38. minijail0_cli_unittest.cc
  39. MODULE_LICENSE_BSD
  40. NOTICE
  41. OWNERS
  42. parse_seccomp_policy.cc
  43. platform2_preinstall.sh
  44. PRESUBMIT.cfg
  45. PREUPLOAD.cfg
  46. RELEASE.md
  47. scoped_minijail.h
  48. signal_handler.c
  49. signal_handler.h
  50. syscall_filter.c
  51. syscall_filter.h
  52. syscall_filter_unittest.cc
  53. syscall_filter_unittest_macros.h
  54. syscall_wrapper.c
  55. syscall_wrapper.h
  56. system.c
  57. system.h
  58. system_unittest.cc
  59. testrunner.cc
  60. util.c
  61. util.h
  62. util_unittest.cc