From a26759c8979411e3e2623f8063caaf2a49b2be56 Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Thu, 2 Feb 2017 10:14:38 -0500
Subject: Add all capabilities to the ambient set before execve

This ensures that we have access to e.g. CAP_SYS_RESOURCE in system_server.

Change-Id: I9a556faea8913295b58501ea0a176ba0920fe667
---
 runconuid/runconuid.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'runconuid')

diff --git a/runconuid/runconuid.cpp b/runconuid/runconuid.cpp
index 496d51f1..6438f7f0 100644
--- a/runconuid/runconuid.cpp
+++ b/runconuid/runconuid.cpp
@@ -34,6 +34,8 @@ with the specified group membership.
 #include <stdio.h>
 #include <stdlib.h>
 #include <signal.h>
+#include <sys/capability.h>
+#include <sys/prctl.h>
 #include <sys/ptrace.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -53,10 +55,17 @@ static char** child_argv = nullptr;
 }
 
 void do_child(void) {
+
   if (context && setexeccon(context) < 0) {
     perror_exit("Setting context to failed");
   }
 
+  // Disregard ambient capability failures, we may just be on a kernel
+  // that does not support them.
+  for (int i = 0; i < 64; ++i) {
+      prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0);
+  }
+
   if (ngroups && setgroups(ngroups, groups) < 0) {
     perror_exit("Setting supplementary groups failed.");
   }
-- 
cgit v1.2.3