Port prctl(PR_CAPBSET_DROP) patches dalvik-dev
A combination of the following two dalvik commits:
* https://android-review.googlesource.com/51731
* https://android-review.googlesource.com/51697
Commit message from c0ecb5bdbf465ef05ed3379c13ff9a4245412ce7
Zygote: limit the bounding capability set to CAP_NET_RAW
Prevent a zygote spawned application from acquiring
capabilities other than CAP_NET_RAW. The only Zygote
accessible program on Android which grants capabilities
is /system/bin/ping (CAP_NET_RAW), so we don't need to
keep the other capabilities in our bounding set.
If the kernel doesn't support file capabilities, we
end up printing approx 30 lines of warning messages. Hopefully
this will encourage kernel developers to upgrade. In a future
change, we can turn a prctl(PR_CAPBSET_DROP) failure into
a fatal error.
Commit message from daa97a125fc2caa5faa44a31a768f318a26c7b65
Zygote: address comments from previous review.
Previous review at https://android-review.googlesource.com/51731
Change-Id: If43d049767a9128d73f51076a674f8b87351396d
1 file changed