summaryrefslogtreecommitdiff
path: root/cmds/installd/utils.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cmds/installd/utils.cpp')
-rw-r--r--cmds/installd/utils.cpp23
1 files changed, 23 insertions, 0 deletions
diff --git a/cmds/installd/utils.cpp b/cmds/installd/utils.cpp
index 74ad1841a5..bbf14cb5f7 100644
--- a/cmds/installd/utils.cpp
+++ b/cmds/installd/utils.cpp
@@ -20,6 +20,7 @@
#include <fcntl.h>
#include <fts.h>
#include <stdlib.h>
+#include <sys/capability.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/xattr.h>
@@ -34,6 +35,7 @@
#include <log/log.h>
#include <private/android_filesystem_config.h>
+#include "dexopt_return_codes.h"
#include "globals.h" // extern variables.
#ifndef LOG_TAG
@@ -1063,5 +1065,26 @@ bool collect_profiles(std::vector<std::string>* profiles_paths) {
}
}
+void drop_capabilities(uid_t uid) {
+ if (setgid(uid) != 0) {
+ PLOG(ERROR) << "setgid(" << uid << ") failed in installd during dexopt";
+ exit(DexoptReturnCodes::kSetGid);
+ }
+ if (setuid(uid) != 0) {
+ PLOG(ERROR) << "setuid(" << uid << ") failed in installd during dexopt";
+ exit(DexoptReturnCodes::kSetUid);
+ }
+ // drop capabilities
+ struct __user_cap_header_struct capheader;
+ struct __user_cap_data_struct capdata[2];
+ memset(&capheader, 0, sizeof(capheader));
+ memset(&capdata, 0, sizeof(capdata));
+ capheader.version = _LINUX_CAPABILITY_VERSION_3;
+ if (capset(&capheader, &capdata[0]) < 0) {
+ PLOG(ERROR) << "capset failed";
+ exit(DexoptReturnCodes::kCapSet);
+ }
+}
+
} // namespace installd
} // namespace android
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-12-11 18:59:28 +0000