ANDROID: net: paranoid: commoncap: Begin to warn users of implicit PARANOID_NETWORK...

CAP_NET_ADMIN and CAP_NET_RAW are implicity granted to the "special"
Android groups net_admin and net_raw.

This is a byproduct of the init system not being able to specify
capabilities back in the day, but has now been resolved and .rc files
can explictly specify the capabilities to be granted to a service.

Thus, we should start to remove this implict capability grant, and the
first step is to warn when a process doesn't have explicit capablity
but is a member of the implicitly granted group, when that capability
is checked.

This will allow for the PARANOID_NETWORK checks in commoncap.c to
be totally removed in a future kernel.

Change-Id: I6dac90e23608b6dba14a8f2049ba29ae56cb7ae4
Signed-off-by: John Stultz <john.stultz@linaro.org>

diff --git a/security/commoncap.c b/security/commoncap.c
index a00862bcf429e920267385d8ba898b0409ae0206..2ed79a834a965cc6958d7a33f058df4172cefe37 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -58,7 +58,7 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
 }
 
 /**
- * cap_capable - Determine whether a task has a particular effective capability
+ * __cap_capable - Determine whether a task has a particular effective capability
  * @cred: The credentials to use
  * @ns:  The user namespace in which we need the capability
  * @cap: The capability to check for
@@ -72,18 +72,11 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
  * cap_has_capability() returns 0 when a task has a capability, but the
  * kernel's capable() and has_capability() returns 1 for this case.
  */
-int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
+int __cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
                int cap, int audit)
 {
        struct user_namespace *ns = targ_ns;
 
-#ifdef CONFIG_ANDROID_PARANOID_NETWORK
-       if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW))
-               return 0;
-       if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN))
-               return 0;
-#endif
-
        /* See if cred has the capability in the target user namespace
         * by examining the target user namespace and all of the target
         * user namespace's parents.
@@ -117,6 +110,27 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
        /* We never get here */
 }
 
+int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
+               int cap, int audit)
+{
+       int ret = __cap_capable(cred, targ_ns, cap, audit);
+
+#ifdef CONFIG_ANDROID_PARANOID_NETWORK
+       if (ret != 0 && cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) {
+               printk("Process %s granted CAP_NET_RAW from Android group net_raw.\n", current->comm);
+               printk("  Please update the .rc file to explictly set 'capabilities NET_RAW'\n");
+               printk("  Implicit grants are deprecated and will be removed in the future.\n");
+               return 0;
+       }
+       if (ret != 0 && cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) {
+               printk("Process %s granted CAP_NET_ADMIN from Android group net_admin.\n", current->comm);
+               printk("  Please update the .rc file to explictly set 'capabilities NET_ADMIN'\n");
+               printk("  Implicit grants are deprecated and will be removed in the future.\n");
+               return 0;
+       }
+#endif
+       return ret;
+}
 /**
  * cap_settime - Determine whether the current process may set the system clock
  * @ts: The time to set