From b0f1540f2a1959120d1b083fa14d65f5c45335f8 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Fri, 29 Mar 2013 08:55:06 -0700 Subject: [PATCH] run-as: Don't require CAP_DAC_READ_SEARCH This is a partial AOSP port of Google internal change 080427e4e2b1b72718b660e16b6cf38b3a3c4e3f . Change-Id: I23a7edc808d227caf3862b035dc2ca39639d9d59 --- run-as/package.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/run-as/package.c b/run-as/package.c index dce132e6a..27fc1ebbb 100644 --- a/run-as/package.c +++ b/run-as/package.c @@ -80,13 +80,30 @@ map_file(const char* filename, size_t* filesize) struct stat st; size_t length = 0; void* address = NULL; + gid_t oldegid; *filesize = 0; + /* + * Temporarily switch effective GID to allow us to read + * the packages file + */ + + oldegid = getegid(); + if (setegid(AID_SYSTEM) < 0) { + return NULL; + } + /* open the file for reading */ fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY)); - if (fd < 0) + if (fd < 0) { return NULL; + } + + /* restore back to our old egid */ + if (setegid(oldegid) < 0) { + goto EXIT; + } /* get its size */ ret = TEMP_FAILURE_RETRY(fstat(fd, &st));