1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
<html devsite>
<head>
<title>Implementing Ambient Capabilities</title>
<meta name="project_path" value="/_project.yaml" />
<meta name="book_path" value="/_book.yaml" />
</head>
<body>
<!--
Copyright 2017 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p>
Capabilities allow Linux processes to drop most root-like privileges, while
retaining the subset of privileges that they require to perform their function.
The original implementation of capabilities made it impossible for fork+exec'd
processes to inherit capabilities unless the files being executed had file
capabilities configured. File capabilities, in turn, present a security risk
since any process executing a file with file capabilities will be able to gain
those capabilities.
</p>
<p>
Ambient capabilities allows system services to configure capabilities in their
<code>.rc</code> files, bringing all their configuration into a single file,
instead of having to split capabilities configuration to the
<code>fs_config.c</code> file.
</p>
<h2 id="reference-implementation">Reference implementation</h2>
<p>
The reference implementation is the Android common kernel <a
href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/</a>
</p>
<h2 id="required-patches">Required patches</h2>
<p>
Required patches have been backported to all the relevant Android common kernel
branches.
</p>
<p>
The main ambient capabilities patch <a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08</a>
has been backported in:
</p>
<ul>
<li>android-3.10 branch:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/bdcd4484f1b399dfcb2fd7dd82b6869b2b6b60cd">https://android.googlesource.com/kernel/common/+/bdcd4484f1b399dfcb2fd7dd82b6869b2b6b60cd</a>
</ul>
<li>android-3.14 branch:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/5440f16f1296ca05f33dfde51e8bb7ad48699640">https://android.googlesource.com/kernel/common/+/5440f16f1296ca05f33dfde51e8bb7ad48699640</a>
</ul>
<li>android-3.18:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/d6a9a74487e86b528c44965f871de75671b6adb0">https://android.googlesource.com/kernel/common/+/d6a9a74487e86b528c44965f871de75671b6adb0</a>
</ul>
<li>android-4.1:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/0381789d78d552462ef576d9759e9aa6fcaae3bb">https://android.googlesource.com/kernel/common/+/0381789d78d552462ef576d9759e9aa6fcaae3bb</a></li>
</ul>
</ul>
<p>
A small security fix <a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7f76ea2ef6739ee484a165ffbac98deb855d3d3">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7f76ea2ef6739ee484a165ffbac98deb855d3d3</a>
has been backported in:
</p>
<ul>
<li>android-3.10 branch:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/ef89def080c52eb7ea6a9455eb32b1b05867133b">https://android.googlesource.com/kernel/common/+/ef89def080c52eb7ea6a9455eb32b1b05867133b</a>
</ul>
<li>android-3.14 branch:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/f75626b3092fad4e0bd8f2aed06947352781eb77">https://android.googlesource.com/kernel/common/+/f75626b3092fad4e0bd8f2aed06947352781eb77</a>
</ul>
<li>android-3.18:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/7bc0ef844a537ebb786ba0574932bd65751818c6">https://android.googlesource.com/kernel/common/+/7bc0ef844a537ebb786ba0574932bd65751818c6</a>
</ul>
<li>android-4.1:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/dda568cc40d855bde2dfa9c04a7a1628c80b7f63">https://android.googlesource.com/kernel/common/+/dda568cc40d855bde2dfa9c04a7a1628c80b7f63</a></li>
</ul>
</ul>
<p>
A memory leak fix <a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d6f3328422a3bc56b0d8dd026a5de845d2abfa7">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d6f3328422a3bc56b0d8dd026a5de845d2abfa7</a>,
needed for kernels < 3.18, has been backported in:
</p>
<ul>
<li>android-3.10 branch:
<ul>
<li><a
href="https://android.googlesource.com/kernel/common/+/900e52782988ee11a1cb7d600e9edea48fc70f0f">https://android.googlesource.com/kernel/common/+/900e52782988ee11a1cb7d600e9edea48fc70f0f</a></li>
</ul>
</ul>
<h2 id="validation">Validation</h2>
<p>
<a
href="https://android.googlesource.com/platform/bionic/+/master#Running-the-tests">Bionic
unit tests</a> include unit tests for ambient capabilities. Beyond that, using
the "capabilities" keyword in Android init for a service, and then checking that
the service gets the expected capabilities would allow for runtime testing of
this feature.
</p>
</body>
</html>
|
