Skip to content
Commit 0268f76e authored by John Stultz's avatar John Stultz Committed by Dmitry Shmidt
Browse files

ANDROID: commoncap: Begin to warn users of implicit PARANOID_NETWORK capability grants



CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special"
Android groups net_admin and net_raw.

This is a byproduct of the init system not being able to specify
capabilities back in the day, but has now been resolved and .rc files
can explictly specify the capabilities to be granted to a service.

Thus, we should start to remove this implict capability grant, and the
first step is to warn when a process doesn't have explicit capablity
but is a member of the implicitly granted group, when that capability
is checked.

This will allow for the PARANOID_NETWORK checks in commoncap.c to
be totally removed in a future kernel.

Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4
Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
parent 5316da5f
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment