Thank for the clarification – Yes, it is for consistency where one can access the serviceability shell either via (remote) ssh or (local) adb. Again, thank for the information and suggestion.
Tai From: William Roberts <[email protected]<mailto:[email protected]>> Date: Friday, April 24, 2015 at 2:15 PM To: Tai Nguyen <[email protected]<mailto:[email protected]>> Cc: Stephen Smalley <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Permission error On Fri, Apr 24, 2015 at 11:09 AM, Tai Nguyen (tainguye) <[email protected]<mailto:[email protected]>> wrote: We did verify that the setmask program run with uid 0 and with the same domain in both cases. Do you mean that although it runs as uid 0, it doesn’t have those capabilities? Once you drop you cant gain if done properly. 0, in essence, gains all capabilities. Why is ADB involved in this process of starting this, is it invoked via the shell? Is this path only on eng builds as a convenience? Thanks On 4/24/15, 2:00 PM, "Stephen Smalley" <[email protected]<mailto:[email protected]>> wrote: >On 04/24/2015 01:46 PM, Tai Nguyen (tainguye) wrote: >> Hi Stephen, >> >> Can you clarify ³adbd drops all capabilites from the bounding set² ? >>Also, >> how is it related to setmask process which has suid itself? > >See "Capability bounding" in >https://source.android.com/devices/tech/security/enhancements/enhancements >43.html > >grep PR_CAPBSET_DROP system/core/adb/* > >Once removed from the capability bounding set, you cannot get it back >via exec'ing a setuid-root program. man 7 capabilities > > > _______________________________________________ Seandroid-list mailing list [email protected]<mailto:[email protected]> To unsubscribe, send email to [email protected]<mailto:[email protected]>. To get help, send an email containing "help" to [email protected]<mailto:[email protected]>. -- Respectfully, William C Roberts
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
