From aafb4e2754ad2a15fedb0efe0faf97d8c259380b Mon Sep 17 00:00:00 2001
From: Johan Redestig <johan.redestig@sonymobile.com>
Date: Wed, 30 Nov 2016 12:55:42 +0100
Subject: Use init to set capabilities

With the minijail code the groups set in the rild.rc are lost when
switching user. The reason for starting as root was to be able to set
capabilities, since that code was written init has gain the ability
to set capabilities at service declaration so use that instead so we
dont even have to start as root.

Test: cat /proc/`pgrep rild`/status
Before change:

Name:	rild
...
Uid:	1001	1001	1001	1001
Gid:	1001	1001	1001	1001
...
Groups:
...
CapInh: 0000001000003000
CapPrm: 0000001000003000
CapEff: 0000001000003000
CapBnd: 0000001000003000
CapAmb: 0000000000000000
...

After change:

Name:   rild
...
Uid:    1001    1001    1001    1001
Gid:    1001    1001    1001    1001
...
Groups: 1005 1007 2001 3003 3009 3010 9998
...
CapInh: 0000001000003000
CapPrm: 0000001000003000
CapEff: 0000001000003000
CapBnd: 0000001000003000
CapAmb: 0000001000003000
...

Bug: 33443755
Change-Id: Iac8aea697ac24417edecb4c0061e56821d3dc59e
---
 rild/Android.mk |  1 -
 rild/rild.c     | 29 -----------------------------
 rild/rild.rc    |  3 ++-
 3 files changed, 2 insertions(+), 31 deletions(-)

(limited to 'rild')

diff --git a/rild/Android.mk b/rild/Android.mk
index 37f1153..152266c 100644
--- a/rild/Android.mk
+++ b/rild/Android.mk
@@ -10,7 +10,6 @@ LOCAL_SHARED_LIBRARIES := \
 	libcutils \
 	libdl \
 	liblog \
-	libminijail \
 	libril
 
 # Temporary hack for broken vendor RILs.
diff --git a/rild/rild.c b/rild/rild.c
index dec950e..50710d6 100644
--- a/rild/rild.c
+++ b/rild/rild.c
@@ -33,7 +33,6 @@
 #include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <libminijail.h>
 #include <libril/ril_ex.h>
 
 #include <private/android_filesystem_config.h>
@@ -41,7 +40,6 @@
 #define LIB_PATH_PROPERTY   "rild.libpath"
 #define LIB_ARGS_PROPERTY   "rild.libargs"
 #define MAX_LIB_ARGS        16
-#define MAX_CAP_NUM         (CAP_TO_INDEX(CAP_LAST_CAP) + 1)
 
 static void usage(const char *argv0) {
     fprintf(stderr, "Usage: %s -l <ril impl library> [-- <args for impl library>]\n", argv0);
@@ -97,31 +95,6 @@ static int make_argv(char * args, char ** argv) {
     return count;
 }
 
-/*
- * switchUser - Switches UID to radio, preserving CAP_NET_ADMIN capabilities.
- * Our group, cache, was set by init.
- */
-void switchUser() {
-    char debuggable[PROP_VALUE_MAX];
-    struct minijail *j = minijail_new();
-    minijail_change_uid(j, AID_RADIO);
-    minijail_use_caps(j, CAP_MASK_LONG(CAP_BLOCK_SUSPEND) |
-                         CAP_MASK_LONG(CAP_NET_ADMIN) |
-                         CAP_MASK_LONG(CAP_NET_RAW));
-
-    minijail_enter(j);
-    minijail_destroy(j);
-
-    /*
-     * Debuggable build only:
-     * Set DUMPABLE that was cleared by setuid() to have tombstone on RIL crash
-     */
-    property_get("ro.debuggable", debuggable, "0");
-    if (strcmp(debuggable, "1") == 0) {
-        prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
-    }
-}
-
 int main(int argc, char **argv) {
     const char *rilLibPath = NULL;
     char **rilArgv;
@@ -177,8 +150,6 @@ int main(int argc, char **argv) {
         }
     }
 
-    switchUser();
-
     dlHandle = dlopen(rilLibPath, RTLD_NOW);
 
     if (dlHandle == NULL) {
diff --git a/rild/rild.rc b/rild/rild.rc
index 35b424f..a9ffe11 100644
--- a/rild/rild.rc
+++ b/rild/rild.rc
@@ -3,5 +3,6 @@ service ril-daemon /system/bin/rild
     socket rild stream 660 root radio
     socket sap_uim_socket1 stream 660 bluetooth bluetooth
     socket rild-debug stream 660 radio system
-    user root
+    user radio
     group radio cache inet misc audio log readproc wakelock
+    capabilities BLOCK_SUSPEND NET_ADMIN NET_RAW
-- 
cgit v1.2.3