From a2ceaf6b8be5cb9fdc5fa94ae628b5f617813197 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Wed, 21 Sep 2016 17:01:36 -0400 Subject: [PATCH] Add fs_config entries for the webview_zygote. The webview_zygote is a non-root zygote process that creates isolated_app children for rendering web content. It needs: - CAP_SETUID and CAP_SETGID to change the UID of the new child process. - CAP_SETPCAP to clear the capability bounding set after forking. Test: m Test: angler boots Bug: 21643067 Change-Id: I986fa04be54e812f5dd2afa14e5d2d3e474e2b10 --- libcutils/fs_config.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libcutils/fs_config.c b/libcutils/fs_config.c index 99086371f..3c3ceb4a9 100644 --- a/libcutils/fs_config.c +++ b/libcutils/fs_config.c @@ -149,6 +149,14 @@ static const struct fs_path_config android_files[] = { /* Support wifi_hal_legacy administering a network interface. */ { 00755, AID_WIFI, AID_WIFI, CAP_MASK_LONG(CAP_NET_ADMIN) | CAP_MASK_LONG(CAP_NET_RAW), "system/bin/hw/android.hardware.wifi@1.0-service" }, + /* A non-privileged zygote that spawns isolated processes for web rendering. */ + { 0750, AID_ROOT, AID_ROOT, CAP_MASK_LONG(CAP_SETUID) | + CAP_MASK_LONG(CAP_SETGID) | + CAP_MASK_LONG(CAP_SETPCAP), "system/bin/webview_zygote32" }, + { 0750, AID_ROOT, AID_ROOT, CAP_MASK_LONG(CAP_SETUID) | + CAP_MASK_LONG(CAP_SETGID) | + CAP_MASK_LONG(CAP_SETPCAP), "system/bin/webview_zygote64" }, + { 00750, AID_ROOT, AID_ROOT, 0, "system/bin/uncrypt" }, { 00750, AID_ROOT, AID_ROOT, 0, "system/bin/install-recovery.sh" }, { 00755, AID_ROOT, AID_SHELL, 0, "system/bin/*" },