It looks like your copy of run-as may not have the capabilities bit set as expected. What version of Android are you running? How did you produce the system image?
run-as did not use capabilities prior to Android 4.3. If you're testing this on a 4.2 or earlier device, this is the expected results. There was a bug in 4.3 where run-as did not preserve capabilities on OTA ( https://code.google.com/p/android/issues/detail?id=58373). We explicitly check for this in CTS ( https://android.googlesource.com/platform/cts/+/1f0753d). Can you try running CTS and verify that the permissions on your run-as file are correct? I don't see anything obviously wrong with your program. make -j36 cts cts-tradefed run cts -c android.permission.cts.FileSystemPermissionTest -m testRunAsHasCorrectCapabilities On Mon, Jan 6, 2014 at 2:49 AM, Akhil Arora <arora.akhi...@gmail.com> wrote: > Hi, > > Thank you for the reply. > > I want to query for and set file capabilities on an android device. If a > file posseses a capability, an extended attribute is set belonging to the > "security.capability" sub-domain. > > Thus we can query for capabilities, by querying for extended attributes. > The listxattr() method is available for a device and can be used to list > all the extended attributes associated with > a file. I am unable to produce the same results on both a linux machine > and an android device, using this. > > Please go through output as mentioned below. The source to generate the > same is attached. > > ################################################# > Output: > ################################################# > > * On a linux machine running Ubuntu: > > 1) The file setuid.c has the CAP_SETUID capability and has an extended > attribute belonging to the user domain -- user.comment. > > > $ ./a.out setuid.c > The capability version:429392688 > ------- The capability test begins ! -------------------- > listxattr: Success > The size of the attribute list for file setuid.c is:33 > YES!, There are attributes associated with the file: setuid.c > The extended attribute name is:security.capability > The extended attribute name is:user.comment > > > * On an x86 Android device: > > 1) The file run-as possesses the CAP_SETUID and CAP_SETGID capability, > as per a reply to this post by Nick Kralevich. > > /system/bin # listAttr run-as > listAttr run-as > The capability version:429392688 > ------- The capability test begins ! -------------------- > listxattr: Success > The size of the attribute list for file run-as is:0 > No!, There aren't any attributes associated with the file: run-as > /system/bin # > > The same is not listed in the program output. In the output there is no > attribute belonging to the security.capability sub-domain, which was the > expected output. > > 2) The file test.txt possesses the extended attribute in the user.comment > sub-domain. > > /system/bin # listAttr /data/data/testdir/test.txt > listAttr /data/data/testdir/test.txt > The capability version:429392688 > ------- The capability test begins ! -------------------- > listxattr: Success > The size of the attribute list for file /data/data/testdir/test.txt is:13 > YES!, There are attributes associated with the file: > /data/data/testdir/test.txt > The extended attribute name is:user.comment > /system/bin # > > The same is listed in the program output, which is the expected output. > > > ################################################# > Conclusion: > ################################################# > > These two examples make it clear that there is some problem in querying > for the "security.capability" sub-domain on a device. It doesn't behave as > expected. > > > Regards, > Akhil > > > On Wednesday, November 13, 2013 2:02:00 AM UTC+5:30, Nick Kralevich wrote: > >> >> Take a look at how /system/bin/run-as is handled on Android 4.3 / 4.4. >> That program does exactly what you want to do, and uses CAP_SETUID to >> change UIDs. >> >> Capabilities are assigned based on the contents of >> system/core/include/private/android_filesystem_config.h . For run-as, >> you can see the change at https://android-review. >> googlesource.com/#/c/51945/6/include/private/android_filesystem_config.h >> (line >> 231). >> >> Android doesn't ship with the getcap / setcap command line tools. They're >> not needed by normal programs, and it doesn't make sense to waste space to >> ship with them. >> >> -- Nick >> >> >> On Tue, Nov 12, 2013 at 2:53 AM, Akhil Arora <arora....@gmail.com> wrote: >> >>> Hi, >>> >>> I’m trying to come up with a proof of concept to set file capabilities >>> on Android. The capability support on Android is limited — not all APIs in >>> the libcap2 package for Linux seem to exist. >>> >>> Are all Linux defined file capabilities supported on Android, including >>> security? If so, how do I do the equivalent of getcap and setcap once I >>> adb-shell into the device? The goal really is build a simple program (for >>> example - an executable that allows the user to change uid to root via >>> CAP_SETUID) using the SDK/NDK tools. >>> >>> Thank you for the help. >>> >>> -- >>> -- >>> unsubscribe: android-kerne...@googlegroups.com >>> >>> website: http://groups.google.com/group/android-kernel >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Android Linux Kernel Development" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to android-kerne...@googlegroups.com. >>> >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> Nick Kralevich | Android Security | n...@google.com | 650.214.4037 >> > -- > -- > unsubscribe: android-kernel+unsubscr...@googlegroups.com > website: http://groups.google.com/group/android-kernel > --- > You received this message because you are subscribed to the Google Groups > "Android Linux Kernel Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-kernel+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037 -- -- unsubscribe: android-kernel+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-kernel --- You received this message because you are subscribed to the Google Groups "Android Linux Kernel Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-kernel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
