ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init: Read previous state of securebits before modifying

Browse source 
When Android is running in a container, some of the securebits might be
locked, which makes prctl(PR_SET_SECUREBITS) fail.

This change gets the previous state of the process' securebits and adds
the desired bits.

Bug: 62388055
Test: aosp_bullhead-eng boots
Test: If init has non-zero securebits, it can also boot
Change-Id: Ie03bf2538f9dca40955bc58314d269246f5731bd
This commit is contained in:
Luis Hector Chavez 2017-06-30 14:04:20 -07:00
parent c997cd64dc
commit f5965519d1
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
init/service.cpp
View file

@ -235,8 +235,15 @@ void Service::KillProcessGroup(int signal) {
void Service::SetProcessAttributes() {
// Keep capabilites on uid change.
if (capabilities_.any() && uid_) {
if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_KEEP_CAPS_LOCKED) != 0) {
PLOG(FATAL) << "prtcl(PR_SET_KEEPCAPS) failed for " << name_;
// If Android is running in a container, some securebits might already
// be locked, so don't change those.
int64_t securebits = prctl(PR_GET_SECUREBITS);
if (securebits == -1) {
PLOG(FATAL) << "prctl(PR_GET_SECUREBITS) failed for " << name_;
}
securebits |= SECBIT_KEEP_CAPS | SECBIT_KEEP_CAPS_LOCKED;
if (prctl(PR_SET_SECUREBITS, securebits) != 0) {
PLOG(FATAL) << "prctl(PR_SET_SECUREBITS) failed for " << name_;
}
}