1*49cdfc7eSAndroid Build Coastguard WorkerPOSIX capabilities are pieces of root privilege, for instance 2*49cdfc7eSAndroid Build Coastguard WorkerCAP_SYS_NICE to set priority on other tasks and CAP_SYS_TIME 3*49cdfc7eSAndroid Build Coastguard Workerto set system time. See 4*49cdfc7eSAndroid Build Coastguard Workerhttp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt 5*49cdfc7eSAndroid Build Coastguard Workerfor more information. 6*49cdfc7eSAndroid Build Coastguard Worker 7*49cdfc7eSAndroid Build Coastguard WorkerA task's capabilities are set when it executes a new file, and 8*49cdfc7eSAndroid Build Coastguard Workerwhen it explicitly changes them (see capset(2)). After exec, 9*49cdfc7eSAndroid Build Coastguard Workerthe task's new capabilities are a function of its previous 10*49cdfc7eSAndroid Build Coastguard Workercapabilities and the file's capabilities: 11*49cdfc7eSAndroid Build Coastguard Worker 12*49cdfc7eSAndroid Build Coastguard Worker pI' = pI 13*49cdfc7eSAndroid Build Coastguard Worker pP' = fP | (fI & pI) 14*49cdfc7eSAndroid Build Coastguard Worker pE' = fE ? pP' : 0 15*49cdfc7eSAndroid Build Coastguard Worker 16*49cdfc7eSAndroid Build Coastguard WorkerWhere pX is capability set X for process p before exec, pX' is 17*49cdfc7eSAndroid Build Coastguard Workercapability set X for process P after exec and fX is file 18*49cdfc7eSAndroid Build Coastguard Workercapability set X. The capability sets are I for inheritable, 19*49cdfc7eSAndroid Build Coastguard WorkerP for permitted, and E for effective. Note that fE is a 20*49cdfc7eSAndroid Build Coastguard Workerboolean rather than a set. 21*49cdfc7eSAndroid Build Coastguard Worker 22*49cdfc7eSAndroid Build Coastguard WorkerFile capabilities are stored in extended attributes named 23*49cdfc7eSAndroid Build Coastguard Worker'security.capability.' Setting this xattr requires the 24*49cdfc7eSAndroid Build Coastguard WorkerCAP_SETFCAP capability when the capability security module is 25*49cdfc7eSAndroid Build Coastguard Workerloaded, or CAP_SYS_ADMIN when it is not. 26*49cdfc7eSAndroid Build Coastguard Worker 27*49cdfc7eSAndroid Build Coastguard WorkerThe following tests are implemented here: 28*49cdfc7eSAndroid Build Coastguard Worker 29*49cdfc7eSAndroid Build Coastguard Workerinh_capped: check whether a process without CAP_SETPCAP 30*49cdfc7eSAndroid Build Coastguard Worker is properly prohibited from raising bits in its 31*49cdfc7eSAndroid Build Coastguard Worker inheritable set using setcap. 32*49cdfc7eSAndroid Build Coastguard Worker 33*49cdfc7eSAndroid Build Coastguard Workerverify_caps_exec: 34*49cdfc7eSAndroid Build Coastguard Worker 1. check that privilege is needed to set file capabilities 35*49cdfc7eSAndroid Build Coastguard Worker 2. check that pI', pP', and pE' are properly 36*49cdfc7eSAndroid Build Coastguard Worker calculated upon exec. 37*49cdfc7eSAndroid Build Coastguard WorkerThe Underlying kernel needs to be built with the following options for filecaps testing: 38*49cdfc7eSAndroid Build Coastguard WorkerCONFIG_SECURITY_CAPABILITIES=y 39*49cdfc7eSAndroid Build Coastguard Worker 40