diff --git a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
old mode 100644
new mode 100755
index bed0aae074..37020c5692
--- a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
+++ b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
@@ -654,7 +654,7 @@ static void EnableKeepCapabilities(fail_fn_t fail_fn) {
}
static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
- for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
+ /*for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
if (errno == EINVAL) {
ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
@@ -663,7 +663,7 @@ static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
}
}
- }
+ }*/
}
static void SetInheritable(uint64_t inheritable, fail_fn_t fail_fn) {
diff --git a/kernel-5.10/security/commoncap.c b/kernel-5.10/security/commoncap.c
old mode 100644
new mode 100755
index 4bdb44c9e6..d5c6761f55
--- a/kernel-5.10/security/commoncap.c
+++ b/kernel-5.10/security/commoncap.c
@@ -1163,11 +1163,12 @@ static int cap_prctl_drop(unsigned long cap)
{
struct cred *new;
+/*
if (!ns_capable(current_user_ns(), CAP_SETPCAP))
return -EPERM;
if (!cap_valid(cap))
return -EINVAL;
-
+*/
new = prepare_creds();
if (!new)
return -ENOMEM;
diff --git a/system/core/init/selinux.cpp b/system/core/init/selinux.cpp
old mode 100644
new mode 100755
index 29c0ff3baa..cac2c5f81c
--- a/system/core/init/selinux.cpp
+++ b/system/core/init/selinux.cpp
@@ -93,6 +93,7 @@ namespace {
enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
+/*
EnforcingStatus StatusFromProperty() {
EnforcingStatus status = SELINUX_ENFORCING;
@@ -112,12 +113,15 @@ EnforcingStatus StatusFromProperty() {
return status;
}
-
+*/
bool IsEnforcing() {
+ return false;
+ /*
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromProperty() == SELINUX_ENFORCING;
}
return true;
+ */
}
// Forks, executes the provided program in the child, and waits for the completion in the parent.
diff --git a/system/core/libcutils/fs_config.cpp b/system/core/libcutils/fs_config.cpp
old mode 100644
new mode 100755
index a6835fc70c..e0a5faeddd
--- a/system/core/libcutils/fs_config.cpp
+++ b/system/core/libcutils/fs_config.cpp
@@ -86,7 +86,7 @@ static const struct fs_path_config android_dirs[] = {
{ 00751, AID_ROOT, AID_SHELL, 0, "system/bin" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/etc/ppp" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/vendor" },
- { 00750, AID_ROOT, AID_SHELL, 0, "system/xbin" },
+ { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin" },
{ 00751, AID_ROOT, AID_SHELL, 0, "system/apex/*/bin" },
{ 00751, AID_ROOT, AID_SHELL, 0, "system_ext/bin" },
{ 00751, AID_ROOT, AID_SHELL, 0, "system_ext/apex/*/bin" },
@@ -190,7 +190,7 @@ static const struct fs_path_config android_files[] = {
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
// the following files have enhanced capabilities and ARE included
// in user builds.
diff --git a/system/extras/su/su.cpp b/system/extras/su/su.cpp
old mode 100644
new mode 100755
index 1a1ab6bf40..af3d2a68c7
--- a/system/extras/su/su.cpp
+++ b/system/extras/su/su.cpp
@@ -80,8 +80,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
}
int main(int argc, char** argv) {
- uid_t current_uid = getuid();
- if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+ //uid_t current_uid = getuid();
+ //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
// Handle -h and --help.
++argv;
本文探讨了Linux内核中Zygote进程的代码更新,涉及prctl函数在处理Capabilities、boundingset的改变,以及selinux和文件系统配置中的权限设置。还提及了su工具的权限处理策略。
扫一扫
4387
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
