I did create a patch to implement the capability option, however it doesn't work because services are eventually started by execve() call, which wipes out all capabilities. In order to preserve the capabilities across execve() call, it looks like much larger change is required to add file capability for the executable files. It would be great if anyone knows an elegant way to solve this issue.
On Sun, Sep 29, 2013 at 1:03 PM, Glenn Kasten <gkas...@android.com> wrote: > init appears to have a capability option which I assume was intended to > allow this, but it doesn't look like it was ever implemented. > > In a private communication with another developer, that person expressed > reluctance to allow this feature for fear of it being used inappropriately. > > However if you are still really interested you could propose it on > android-contrib@ and/or upload a CL to system/core. I'm not sure it > would be approved; it may be worth a try. > > A workaround of course is to run it as root, then it immediately drops > it's capabilities and uid. > > > On Friday, September 27, 2013 6:07:22 PM UTC-7, Fei Yang wrote: >> >> I want to enable some capabilities for a particular service started by >> Android init. However, all thread capabilities are cleared after execve(). >> And it seems like kernel determines thread capabilities in conjunction with >> file capabilities, since the file doesn't have capability attribute set, >> the thread ends up with no capability set at all. >> Does anyone know if it's possible at all to start a service with some >> capabilities inherited after execve()? >> Any idea is appreciated. >> >> -Fei >> > -- > -- > unsubscribe: android-kernel+unsubscr...@googlegroups.com > website: http://groups.google.com/group/android-kernel > --- > You received this message because you are subscribed to the Google Groups > "Android Linux Kernel Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-kernel+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- -- unsubscribe: android-kernel+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-kernel --- You received this message because you are subscribed to the Google Groups "Android Linux Kernel Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-kernel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
