From 4d186ad96447df8d0d39235fb9b3f2022767aefe Mon Sep 17 00:00:00 2001
From: Jorge Lucangeli Obes <jorgelo@google.com>
Date: Fri, 19 Feb 2016 15:23:28 -0800
Subject: [PATCH] adbd: Remove explicit capability bounding set code.

Minijail supports dropping capabilities from the bounding set.
Use that code instead.

This cleans up one small loose end in the work started with
https://android-review.googlesource.com/#/c/187775/

Final diff: fewer lines, more unit-tested code.
"""
$ git diff --stat 52cf4fa6aa3e8d13f61b1 adb/daemon/main.cpp
 adb/daemon/main.cpp | 56
 1 file changed, 27 insertions(+), 29 deletions(-)
"""

Bug: 27314096
Change-Id: I238975920b85fae376522eb26f5ad6d9fee0762a
---
 adb/daemon/main.cpp | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp
index 4721e2fbb..7f40b96b2 100644
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@@ -43,24 +43,15 @@
 
 static const char* root_seclabel = nullptr;
 
-static void drop_capabilities_bounding_set_if_needed() {
-#ifdef ALLOW_ADBD_ROOT
+static void drop_capabilities_bounding_set_if_needed(struct minijail *j) {
+#if defined(ALLOW_ADBD_ROOT)
     char value[PROPERTY_VALUE_MAX];
     property_get("ro.debuggable", value, "");
     if (strcmp(value, "1") == 0) {
         return;
     }
 #endif
-    for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
-        if (i == CAP_SETUID || i == CAP_SETGID) {
-            // CAP_SETUID CAP_SETGID needed by /system/bin/run-as
-            continue;
-        }
-
-        if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
-            PLOG(FATAL) << "Could not drop capabilities";
-        }
-    }
+    minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
 }
 
 static bool should_drop_privileges() {
@@ -131,7 +122,7 @@ static void drop_privileges(int server_port) {
     // Don't listen on a port (default 5037) if running in secure mode.
     // Don't run as root if running in secure mode.
     if (should_drop_privileges()) {
-        drop_capabilities_bounding_set_if_needed();
+        drop_capabilities_bounding_set_if_needed(jail.get());
 
         minijail_change_gid(jail.get(), AID_SHELL);
         minijail_change_uid(jail.get(), AID_SHELL);