From e9e74f3c881bd73bd86be4db8b12200a61f143e1 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 7 Feb 2013 14:22:12 -0800 Subject: [PATCH] Add support for filesystem capabilities. Modify android_filesystem_config.h and add a capabilities field. This field can be used to add filesystem capabilities to a particular file. Change-Id: If8953a322457ea7275aa6df75660b714e6dc678a --- cpio/mkbootfs.c | 3 +- include/private/android_filesystem_config.h | 118 ++++++++++---------- 2 files changed, 63 insertions(+), 58 deletions(-) diff --git a/cpio/mkbootfs.c b/cpio/mkbootfs.c index 323a09d6e..3569e27f4 100644 --- a/cpio/mkbootfs.c +++ b/cpio/mkbootfs.c @@ -55,6 +55,7 @@ static int total_size = 0; static void fix_stat(const char *path, struct stat *s) { + uint64_t capabilities; if (canned_config) { // Use the list of file uid/gid/modes loaded from the file // given with -f. @@ -78,7 +79,7 @@ static void fix_stat(const char *path, struct stat *s) } else { // Use the compiled-in fs_config() function. - fs_config(path, S_ISDIR(s->st_mode), &s->st_uid, &s->st_gid, &s->st_mode); + fs_config(path, S_ISDIR(s->st_mode), &s->st_uid, &s->st_gid, &s->st_mode, &capabilities); } } diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h index 746bec33f..32ed170b3 100644 --- a/include/private/android_filesystem_config.h +++ b/include/private/android_filesystem_config.h @@ -25,6 +25,8 @@ #include #include #include +#include +#include /* This is the master Users and Groups config for the platform. ** DO NOT EVER RENUMBER. @@ -152,6 +154,7 @@ struct fs_path_config { unsigned mode; unsigned uid; unsigned gid; + uint64_t capabilities; const char *prefix; }; @@ -161,26 +164,26 @@ struct fs_path_config { ** way up to the root. */ -static struct fs_path_config android_dirs[] = { - { 00770, AID_SYSTEM, AID_CACHE, "cache" }, - { 00771, AID_SYSTEM, AID_SYSTEM, "data/app" }, - { 00771, AID_SYSTEM, AID_SYSTEM, "data/app-private" }, - { 00771, AID_SYSTEM, AID_SYSTEM, "data/dalvik-cache" }, - { 00771, AID_SYSTEM, AID_SYSTEM, "data/data" }, - { 00771, AID_SHELL, AID_SHELL, "data/local/tmp" }, - { 00771, AID_SHELL, AID_SHELL, "data/local" }, - { 01771, AID_SYSTEM, AID_MISC, "data/misc" }, - { 00770, AID_DHCP, AID_DHCP, "data/misc/dhcp" }, - { 00775, AID_MEDIA_RW, AID_MEDIA_RW, "data/media" }, - { 00775, AID_MEDIA_RW, AID_MEDIA_RW, "data/media/Music" }, - { 00771, AID_SYSTEM, AID_SYSTEM, "data" }, - { 00750, AID_ROOT, AID_SHELL, "sbin" }, - { 00755, AID_ROOT, AID_SHELL, "system/bin" }, - { 00755, AID_ROOT, AID_SHELL, "system/vendor" }, - { 00755, AID_ROOT, AID_SHELL, "system/xbin" }, - { 00755, AID_ROOT, AID_ROOT, "system/etc/ppp" }, - { 00777, AID_ROOT, AID_ROOT, "sdcard" }, - { 00755, AID_ROOT, AID_ROOT, 0 }, +static const struct fs_path_config android_dirs[] = { + { 00770, AID_SYSTEM, AID_CACHE, 0, "cache" }, + { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app" }, + { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private" }, + { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/dalvik-cache" }, + { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/data" }, + { 00771, AID_SHELL, AID_SHELL, 0, "data/local/tmp" }, + { 00771, AID_SHELL, AID_SHELL, 0, "data/local" }, + { 01771, AID_SYSTEM, AID_MISC, 0, "data/misc" }, + { 00770, AID_DHCP, AID_DHCP, 0, "data/misc/dhcp" }, + { 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media" }, + { 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/Music" }, + { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data" }, + { 00750, AID_ROOT, AID_SHELL, 0, "sbin" }, + { 00755, AID_ROOT, AID_SHELL, 0, "system/bin" }, + { 00755, AID_ROOT, AID_SHELL, 0, "system/vendor" }, + { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin" }, + { 00755, AID_ROOT, AID_ROOT, 0, "system/etc/ppp" }, + { 00777, AID_ROOT, AID_ROOT, 0, "sdcard" }, + { 00755, AID_ROOT, AID_ROOT, 0, 0 }, }; /* Rules for files. @@ -189,53 +192,53 @@ static struct fs_path_config android_dirs[] = { ** way up to the root. Prefixes ending in * denotes wildcard ** and will allow partial matches. */ -static struct fs_path_config android_files[] = { - { 00440, AID_ROOT, AID_SHELL, "system/etc/init.goldfish.rc" }, - { 00550, AID_ROOT, AID_SHELL, "system/etc/init.goldfish.sh" }, - { 00440, AID_ROOT, AID_SHELL, "system/etc/init.trout.rc" }, - { 00550, AID_ROOT, AID_SHELL, "system/etc/init.ril" }, - { 00550, AID_ROOT, AID_SHELL, "system/etc/init.testmenu" }, - { 00550, AID_DHCP, AID_SHELL, "system/etc/dhcpcd/dhcpcd-run-hooks" }, - { 00440, AID_BLUETOOTH, AID_BLUETOOTH, "system/etc/dbus.conf" }, - { 00444, AID_RADIO, AID_AUDIO, "system/etc/AudioPara4.csv" }, - { 00555, AID_ROOT, AID_ROOT, "system/etc/ppp/*" }, - { 00555, AID_ROOT, AID_ROOT, "system/etc/rc.*" }, - { 00644, AID_SYSTEM, AID_SYSTEM, "data/app/*" }, - { 00644, AID_MEDIA_RW, AID_MEDIA_RW, "data/media/*" }, - { 00644, AID_SYSTEM, AID_SYSTEM, "data/app-private/*" }, - { 00644, AID_APP, AID_APP, "data/data/*" }, +static const struct fs_path_config android_files[] = { + { 00440, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.rc" }, + { 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.sh" }, + { 00440, AID_ROOT, AID_SHELL, 0, "system/etc/init.trout.rc" }, + { 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.ril" }, + { 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.testmenu" }, + { 00550, AID_DHCP, AID_SHELL, 0, "system/etc/dhcpcd/dhcpcd-run-hooks" }, + { 00440, AID_BLUETOOTH, AID_BLUETOOTH, 0, "system/etc/dbus.conf" }, + { 00444, AID_RADIO, AID_AUDIO, 0, "system/etc/AudioPara4.csv" }, + { 00555, AID_ROOT, AID_ROOT, 0, "system/etc/ppp/*" }, + { 00555, AID_ROOT, AID_ROOT, 0, "system/etc/rc.*" }, + { 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app/*" }, + { 00644, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/*" }, + { 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private/*" }, + { 00644, AID_APP, AID_APP, 0, "data/data/*" }, /* the following two files are INTENTIONALLY set-gid and not set-uid. * Do not change. */ - { 02755, AID_ROOT, AID_NET_RAW, "system/bin/ping" }, - { 02750, AID_ROOT, AID_INET, "system/bin/netcfg" }, + { 02755, AID_ROOT, AID_NET_RAW, 0, "system/bin/ping" }, + { 02750, AID_ROOT, AID_INET, 0, "system/bin/netcfg" }, /* the following five files are INTENTIONALLY set-uid, but they * are NOT included on user builds. */ - { 06755, AID_ROOT, AID_ROOT, "system/xbin/su" }, - { 06755, AID_ROOT, AID_ROOT, "system/xbin/librank" }, - { 06755, AID_ROOT, AID_ROOT, "system/xbin/procrank" }, - { 06755, AID_ROOT, AID_ROOT, "system/xbin/procmem" }, - { 06755, AID_ROOT, AID_ROOT, "system/xbin/tcpdump" }, - { 04770, AID_ROOT, AID_RADIO, "system/bin/pppd-ril" }, + { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" }, + { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/librank" }, + { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procrank" }, + { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" }, + { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/tcpdump" }, + { 04770, AID_ROOT, AID_RADIO, 0, "system/bin/pppd-ril" }, /* the following file is INTENTIONALLY set-uid, and IS included * in user builds. */ - { 06750, AID_ROOT, AID_SHELL, "system/bin/run-as" }, - { 00755, AID_ROOT, AID_SHELL, "system/bin/*" }, - { 00755, AID_ROOT, AID_ROOT, "system/lib/valgrind/*" }, - { 00755, AID_ROOT, AID_SHELL, "system/xbin/*" }, - { 00755, AID_ROOT, AID_SHELL, "system/vendor/bin/*" }, - { 00750, AID_ROOT, AID_SHELL, "sbin/*" }, - { 00755, AID_ROOT, AID_ROOT, "bin/*" }, - { 00750, AID_ROOT, AID_SHELL, "init*" }, - { 00750, AID_ROOT, AID_SHELL, "charger*" }, - { 00750, AID_ROOT, AID_SHELL, "sbin/fs_mgr" }, - { 00640, AID_ROOT, AID_SHELL, "fstab.*" }, - { 00644, AID_ROOT, AID_ROOT, 0 }, + { 06750, AID_ROOT, AID_SHELL, 0, "system/bin/run-as" }, + { 00755, AID_ROOT, AID_SHELL, 0, "system/bin/*" }, + { 00755, AID_ROOT, AID_ROOT, 0, "system/lib/valgrind/*" }, + { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin/*" }, + { 00755, AID_ROOT, AID_SHELL, 0, "system/vendor/bin/*" }, + { 00750, AID_ROOT, AID_SHELL, 0, "sbin/*" }, + { 00755, AID_ROOT, AID_ROOT, 0, "bin/*" }, + { 00750, AID_ROOT, AID_SHELL, 0, "init*" }, + { 00750, AID_ROOT, AID_SHELL, 0, "charger*" }, + { 00750, AID_ROOT, AID_SHELL, 0, "sbin/fs_mgr" }, + { 00640, AID_ROOT, AID_SHELL, 0, "fstab.*" }, + { 00644, AID_ROOT, AID_ROOT, 0, 0 }, }; static inline void fs_config(const char *path, int dir, - unsigned *uid, unsigned *gid, unsigned *mode) + unsigned *uid, unsigned *gid, unsigned *mode, uint64_t *capabilities) { - struct fs_path_config *pc; + const struct fs_path_config *pc; int plen; if (path[0] == '/') { @@ -261,6 +264,7 @@ static inline void fs_config(const char *path, int dir, *uid = pc->uid; *gid = pc->gid; *mode = (*mode & (~07777)) | pc->mode; + *capabilities = pc->capabilities; #if 0 fprintf(stderr,"< '%s' '%s' %d %d %o >\n",