diff options
author | Zach Riggle <riggle@google.com> | 2017-02-02 10:14:38 -0500 |
---|---|---|
committer | Zach Riggle <riggle@google.com> | 2017-02-02 10:14:38 -0500 |
commit | a26759c8979411e3e2623f8063caaf2a49b2be56 (patch) | |
tree | 1e6ecf87d37f5c0628c0d256e39c26def4185269 /runconuid | |
parent | fa5fbd7358636f4fb8a1242949d34c6393e8446f (diff) | |
download | extras-a26759c8979411e3e2623f8063caaf2a49b2be56.tar.gz |
Add all capabilities to the ambient set before execve
This ensures that we have access to e.g. CAP_SYS_RESOURCE in system_server.
Change-Id: I9a556faea8913295b58501ea0a176ba0920fe667
Diffstat (limited to 'runconuid')
-rw-r--r-- | runconuid/runconuid.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/runconuid/runconuid.cpp b/runconuid/runconuid.cpp index 496d51f1..6438f7f0 100644 --- a/runconuid/runconuid.cpp +++ b/runconuid/runconuid.cpp @@ -34,6 +34,8 @@ with the specified group membership. #include <stdio.h> #include <stdlib.h> #include <signal.h> +#include <sys/capability.h> +#include <sys/prctl.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/wait.h> @@ -53,10 +55,17 @@ static char** child_argv = nullptr; } void do_child(void) { + if (context && setexeccon(context) < 0) { perror_exit("Setting context to failed"); } + // Disregard ambient capability failures, we may just be on a kernel + // that does not support them. + for (int i = 0; i < 64; ++i) { + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0); + } + if (ngroups && setgroups(ngroups, groups) < 0) { perror_exit("Setting supplementary groups failed."); } |