diff options
author | Nikita Ioffe <ioffe@google.com> | 2024-04-19 17:23:47 +0000 |
---|---|---|
committer | Nikita Ioffe <ioffe@google.com> | 2024-04-19 17:23:47 +0000 |
commit | 8b9705698014252b6d42b9c2d469fe92f6ffc56e (patch) | |
tree | 6dd1736cfb03e74f67fb06b5ac22b48a0d1039b2 | |
parent | 89a9afc2129dbcea69389971c70a157e35e22b37 (diff) | |
download | adb-8b9705698014252b6d42b9c2d469fe92f6ffc56e.tar.gz |
Improve comment around CAP_SYS_NICE capability
Also fix the error message for the cap_clear_flag(caps.get(), CAP_EFFECTIVE) call.
Bug: 334980629
Test: presubmit
Test: m
Change-Id: Idf311f49f2a14d315edad138bf6b5f3f1026819c
-rw-r--r-- | daemon/main.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/daemon/main.cpp b/daemon/main.cpp index c6e6d749..77e535af 100644 --- a/daemon/main.cpp +++ b/daemon/main.cpp @@ -129,7 +129,9 @@ static void drop_privileges(int server_port) { // adbd (CapBnd: CAP_SYS_NICE) -> /system/bin/sh (CapBnd: CAP_SYS_NICE) -> // /apex/com.android.virt/bin/vm (CapBnd: CAP_SYS_NICE) -> // virtmngr (CapBnd: CAP_SYS_NICE) -> crosvm (CapEff: CAP_SYS_NICE). - // Note: the adbd or sh (spawned from adb shell) won't actually have the CAP_SYS_NICE. + // Note: the adbd will drop it's effective capabilities several lines below, while the + // /system/bin/sh process spawned from adbd will run as non-root uid, hence won't be + // able to use the CAP_SYS_NICE capability in the first place. minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID) | CAP_TO_MASK(CAP_SYS_NICE)); } @@ -150,7 +152,7 @@ static void drop_privileges(int server_port) { PLOG(FATAL) << "cap_clear_flag(INHERITABLE) failed"; } if (cap_clear_flag(caps.get(), CAP_EFFECTIVE) == -1) { - PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed"; + PLOG(FATAL) << "cap_clear_flag(EFFECTIVE) failed"; } if (cap_clear_flag(caps.get(), CAP_PERMITTED) == -1) { PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed"; |