Add all capabilities to the ambient set before execve

This ensures that we have access to e.g. CAP_SYS_RESOURCE in system_server. Change-Id: I9a556faea8913295b58501ea0a176ba0920fe667
author: Zach Riggle <riggle@google.com> 2017-02-02 10:14:38 -0500
committer: Zach Riggle <riggle@google.com> 2017-02-02 10:14:38 -0500
commit: a26759c8979411e3e2623f8063caaf2a49b2be56 (patch)
tree: 1e6ecf87d37f5c0628c0d256e39c26def4185269 /runconuid
parent: fa5fbd7358636f4fb8a1242949d34c6393e8446f (diff)
download: extras-a26759c8979411e3e2623f8063caaf2a49b2be56.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/runconuid/runconuid.cpp b/runconuid/runconuid.cpp
index 496d51f1..6438f7f0 100644
--- a/runconuid/runconuid.cpp
+++ b/runconuid/runconuid.cpp
@@ -34,6 +34,8 @@ with the specified group membership.
 #include <stdio.h>
 #include <stdlib.h>
 #include <signal.h>
+#include <sys/capability.h>
+#include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -53,10 +55,17 @@ static char** child_argv = nullptr;
 }
 
 void do_child(void) {
+
   if (context && setexeccon(context) < 0) {
     perror_exit("Setting context to failed");
   }
 
+  // Disregard ambient capability failures, we may just be on a kernel
+  // that does not support them.
+  for (int i = 0; i < 64; ++i) {
+      prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0);
+  }
+
   if (ngroups && setgroups(ngroups, groups) < 0) {
     perror_exit("Setting supplementary groups failed.");
   }
author	Zach Riggle <riggle@google.com>	2017-02-02 10:14:38 -0500
committer	Zach Riggle <riggle@google.com>	2017-02-02 10:14:38 -0500
commit	a26759c8979411e3e2623f8063caaf2a49b2be56 (patch)
tree	1e6ecf87d37f5c0628c0d256e39c26def4185269 /runconuid
parent	fa5fbd7358636f4fb8a1242949d34c6393e8446f (diff)
download	extras-a26759c8979411e3e2623f8063caaf2a49b2be56.tar.gz