Hi,
Thank you for the reply.
I want to query for and set file capabilities on an android device. If a
file posseses a capability, an extended attribute is set belonging to the
"security.capability" sub-domain.
Thus we can query for capabilities, by querying for extended attributes.
The listxattr() method is available for a device and can be used to list
all the extended attributes associated with
a file. I am unable to produce the same results on both a linux machine and
an android device, using this.
Please go through output as mentioned below. The source to generate the
same is attached.
#################################################
Output:
#################################################
* On a linux machine running Ubuntu:
1) The file setuid.c has the CAP_SETUID capability and has an extended
attribute belonging to the user domain -- user.comment.
$ ./a.out setuid.c
The capability version:429392688
------- The capability test begins ! --------------------
listxattr: Success
The size of the attribute list for file setuid.c is:33
YES!, There are attributes associated with the file: setuid.c
The extended attribute name is:security.capability
The extended attribute name is:user.comment
* On an x86 Android device:
1) The file run-as possesses the CAP_SETUID and CAP_SETGID capability, as
per a reply to this post by Nick Kralevich.
/system/bin # listAttr run-as
listAttr run-as
The capability version:429392688
------- The capability test begins ! --------------------
listxattr: Success
The size of the attribute list for file run-as is:0
No!, There aren't any attributes associated with the file: run-as
/system/bin #
The same is not listed in the program output. In the output there is no
attribute belonging to the security.capability sub-domain, which was the
expected output.
2) The file test.txt possesses the extended attribute in the user.comment
sub-domain.
/system/bin # listAttr /data/data/testdir/test.txt
listAttr /data/data/testdir/test.txt
The capability version:429392688
------- The capability test begins ! --------------------
listxattr: Success
The size of the attribute list for file /data/data/testdir/test.txt is:13
YES!, There are attributes associated with the file:
/data/data/testdir/test.txt
The extended attribute name is:user.comment
/system/bin #
The same is listed in the program output, which is the expected output.
#################################################
Conclusion:
#################################################
These two examples make it clear that there is some problem in querying for
the "security.capability" sub-domain on a device. It doesn't behave as
expected.
Regards,
Akhil
On Wednesday, November 13, 2013 2:02:00 AM UTC+5:30, Nick Kralevich wrote:
>
>
> Take a look at how /system/bin/run-as is handled on Android 4.3 / 4.4.
> That program does exactly what you want to do, and uses CAP_SETUID to
> change UIDs.
>
> Capabilities are assigned based on the contents of
> system/core/include/private/android_filesystem_config.h . For run-as, you
> can see the change at
> https://android-review.googlesource.com/#/c/51945/6/include/private/android_filesystem_config.h
> (line
> 231).
>
> Android doesn't ship with the getcap / setcap command line tools. They're
> not needed by normal programs, and it doesn't make sense to waste space to
> ship with them.
>
> -- Nick
>
>
> On Tue, Nov 12, 2013 at 2:53 AM, Akhil Arora <arora....@gmail.com<javascript:>
> > wrote:
>
>> Hi,
>>
>> I’m trying to come up with a proof of concept to set file capabilities on
>> Android. The capability support on Android is limited — not all APIs in the
>> libcap2 package for Linux seem to exist.
>>
>> Are all Linux defined file capabilities supported on Android, including
>> security? If so, how do I do the equivalent of getcap and setcap once I
>> adb-shell into the device? The goal really is build a simple program (for
>> example - an executable that allows the user to change uid to root via
>> CAP_SETUID) using the SDK/NDK tools.
>>
>> Thank you for the help.
>>
>> --
>> --
>> unsubscribe: android-kerne...@googlegroups.com <javascript:>
>> website: http://groups.google.com/group/android-kernel
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Android Linux Kernel Development" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to android-kerne...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Nick Kralevich | Android Security | n...@google.com <javascript:> |
> 650.214.4037
>
--
--
unsubscribe: android-kernel+unsubscr...@googlegroups.com
website: http://groups.google.com/group/android-kernel
---
You received this message because you are subscribed to the Google Groups
"Android Linux Kernel Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-kernel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
#include<stdio.h>
#include<sys/types.h>
#include<unistd.h>
#include<errno.h>
#include<attr/xattr.h>
#include<sys/capability.h>
#include<stdlib.h>
#include<limits.h>
#include<string.h>
#define call(fun) errno=0; fun; perror(#fun)
#define XATTR_NAME_CAPS "security.capability"
void printUsage(){
printf("[Usage:]\n");
printf("./a.out <Path to a file for which the capabilities need to be queried>\n");
exit(1);
}
int main(int argc, char *argv[]){
if(argc<2){
printUsage();
}
int iter=0;
size_t i,xattr_buffer_size=0;
char *xattr_key_buffer=NULL;
printf("The capability version:%d\n",_LINUX_CAPABILITY_VERSION);
printf("------- The capability test begins ! --------------------\n");
errno=0;
xattr_buffer_size = listxattr(argv[1], NULL, 0);
perror("listxattr");
printf("The size of the attribute list for file %s is:%zu\n",argv[1],xattr_buffer_size);
if(xattr_buffer_size > 0) {
printf("YES!, There are attributes associated with the file: %s\n",argv[1]);
xattr_key_buffer = (char*)malloc(xattr_buffer_size);
xattr_buffer_size = listxattr(argv[1], xattr_key_buffer, xattr_buffer_size);
}
else{
printf("No!, There aren't any attributes associated with the file: %s\n",argv[1]);
}
char *attrList = (char*)calloc(xattr_buffer_size,1);
for(i=0;i<xattr_buffer_size;i++){
if(xattr_key_buffer[i]=='\0'){
printf("The extended attribute name is:%s\n",attrList);
iter=0;
memset(attrList,0,xattr_buffer_size);
continue;
}
else{
attrList[iter]=xattr_key_buffer[i];
iter++;
}
}
if(attrList!=NULL)
free(attrList);
if(xattr_key_buffer!=NULL)
free(xattr_key_buffer);
return 0;
}
