From a377ff0d4a1286b4e53b42f8a3a6731f42661a34 Mon Sep 17 00:00:00 2001
From: Jorge Lucangeli Obes <jorgelo@google.com>
Date: Fri, 15 Jul 2016 11:24:20 -0400
Subject: [PATCH] run-as: Use Minijail for privilege dropping.

Arguably, we don't need a ScopedMinijail for a program that only execs,
but I'd rather keep the code consistent and have all uses of Minijail
be good examples.

Bug: 30156807

Change-Id: I08a968835e0f3e2afcd5e7736626edbed658cde2
---
 run-as/Android.mk |  4 ++--
 run-as/run-as.cpp | 32 +++++++-------------------------
 2 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/run-as/Android.mk b/run-as/Android.mk
index 2e305d7fc..7111fbe14 100644
--- a/run-as/Android.mk
+++ b/run-as/Android.mk
@@ -1,8 +1,8 @@
 LOCAL_PATH:= $(call my-dir)
 
 include $(CLEAR_VARS)
-LOCAL_CFLAGS := -Werror
+LOCAL_CFLAGS := -Wall -Werror
 LOCAL_MODULE := run-as
-LOCAL_SHARED_LIBRARIES := libselinux libpackagelistparser
+LOCAL_SHARED_LIBRARIES := libselinux libpackagelistparser libminijail
 LOCAL_SRC_FILES := run-as.cpp
 include $(BUILD_EXECUTABLE)
diff --git a/run-as/run-as.cpp b/run-as/run-as.cpp
index 50b47b99c..aec51f45b 100644
--- a/run-as/run-as.cpp
+++ b/run-as/run-as.cpp
@@ -25,6 +25,9 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <libminijail.h>
+#include <scoped_minijail.h>
+
 #include <packagelistparser/packagelistparser.h>
 #include <private/android_filesystem_config.h>
 #include <selinux/android.h>
@@ -136,19 +139,6 @@ int main(int argc, char* argv[]) {
     error(1, 0, "only 'shell' or 'root' users can run this program");
   }
 
-  __user_cap_header_struct capheader;
-  __user_cap_data_struct capdata[2];
-  memset(&capheader, 0, sizeof(capheader));
-  memset(&capdata, 0, sizeof(capdata));
-  capheader.version = _LINUX_CAPABILITY_VERSION_3;
-  capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
-  capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
-  capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
-  capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
-  if (capset(&capheader, &capdata[0]) == -1) {
-    error(1, errno, "couldn't set capabilities");
-  }
-
   char* pkgname = argv[1];
   int cmd_argv_offset = 2;
 
@@ -201,18 +191,10 @@ int main(int argc, char* argv[]) {
   // same time to avoid nasty surprises.
   uid_t uid = userAppId;
   uid_t gid = userAppId;
-  if (setresgid(gid, gid, gid) == -1) {
-    error(1, errno, "setresgid failed");
-  }
-  if (setresuid(uid, uid, uid) == -1) {
-    error(1, errno, "setresuid failed");
-  }
-
-  // Required if caller has uid and gid all non-zero.
-  memset(&capdata, 0, sizeof(capdata));
-  if (capset(&capheader, &capdata[0]) == -1) {
-    error(1, errno, "couldn't clear all capabilities");
-  }
+  ScopedMinijail j(minijail_new());
+  minijail_change_uid(j.get(), uid);
+  minijail_change_gid(j.get(), gid);
+  minijail_enter(j.get());
 
   if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) {
     error(1, errno, "couldn't set SELinux security context");