Update docs around capabilities and root processes
Current documentation is misleading: if a service runs as root and doesn't specify any capabilities, then it will start with all the capabilities (note that whether it can use them is controlled by selinux). Test: n/a Bug: 249796710 Change-Id: I0d6a884127c6a6c5b651c1222fcf48322065daae
This commit is contained in:
parent
3460b75289
commit
cc0e90a964
|
@ -195,8 +195,10 @@ runs the service.
|
||||||
capability without the "CAP\_" prefix, like "NET\_ADMIN" or "SETPCAP". See
|
capability without the "CAP\_" prefix, like "NET\_ADMIN" or "SETPCAP". See
|
||||||
http://man7.org/linux/man-pages/man7/capabilities.7.html for a list of Linux
|
http://man7.org/linux/man-pages/man7/capabilities.7.html for a list of Linux
|
||||||
capabilities.
|
capabilities.
|
||||||
If no capabilities are provided, then all capabilities are removed from this service, even if it
|
If no capabilities are provided, then behaviour depends on the user the service runs under:
|
||||||
runs as root.
|
* if it's root, then the service will run with all the capabitilies (note: whether the
|
||||||
|
service can actually use them is controlled by selinux);
|
||||||
|
* otherwise all capabilities will be dropped.
|
||||||
|
|
||||||
`class <name> [ <name>\* ]`
|
`class <name> [ <name>\* ]`
|
||||||
> Specify class names for the service. All services in a
|
> Specify class names for the service. All services in a
|
||||||
|
@ -410,7 +412,7 @@ runs the service.
|
||||||
using this new mechanism, processes can use the user option to
|
using this new mechanism, processes can use the user option to
|
||||||
select their desired uid without ever running as root.
|
select their desired uid without ever running as root.
|
||||||
As of Android O, processes can also request capabilities directly in their .rc
|
As of Android O, processes can also request capabilities directly in their .rc
|
||||||
files. See the "capabilities" option below.
|
files. See the "capabilities" option above.
|
||||||
|
|
||||||
`writepid <file> [ <file>\* ]`
|
`writepid <file> [ <file>\* ]`
|
||||||
> Write the child's pid to the given files when it forks. Meant for
|
> Write the child's pid to the given files when it forks. Meant for
|
||||||
|
|
Loading…
Reference in New Issue