Android Wear Hematite Developer Preview 2 (PWH1.180422.008)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCWvNmggAKCRDorT+BmrEO
eM4KAJ9D0nKm1XlhMnJSbCWJVuUsJadwmwCfWgm3FyJJnJFweYJm0g10ZT2NRKU=
=Oi1q
-----END PGP SIGNATURE-----
Skip dropping the bounding set without SECURE_NOROOT.

If we're asked to skip setting *and* locking the SECURE_NOROOT
securebit, also skip dropping the bounding set. If the caller wants to
regain all capabilities when executing a set-user-ID-root program,
allow them to do so. The default behavior (i.e. the behavior without
|securebits_skip_mask| set) will still put the jailed process tree in a
capabilities-only environment.

This will allow giving powerd on Chrome OS some capabilities without
breaking other things.

Bug: 78629772
Test: New unit tests.
Test: Ad-hoc with fork+exec program + setuid program + -B 0x3
Test: Setuid program is able to keep all caps.

Change-Id: I36f79a42666720a65d88ec48454b56695f25b64b
5 files changed