)]}'
{"id":"LineageOS%2Fandroid_kernel_samsung_apq8084~192902","triplet_id":"LineageOS%2Fandroid_kernel_samsung_apq8084~lineage-15.0~I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c","project":"LineageOS/android_kernel_samsung_apq8084","branch":"lineage-15.0","hashtags":[],"change_id":"I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c","subject":"UPSTREAM: capabilities: ambient capabilities","status":"MERGED","created":"2017-10-11 18:34:14.000000000","updated":"2017-11-06 12:56:45.000000000","submitted":"2017-11-06 12:56:45.000000000","submitter":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"192902-1509976605307-f4ea0b0e","meta_rev_id":"ae573d17d36424b015324aaa965b54a8b00219ed","_number":192902,"virtual_id_number":192902,"owner":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"actions":{},"labels":{"Verified":{"approved":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"all":[{"value":1,"date":"2017-11-06 12:56:45.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-1":"Fails"," 0":"No score","+1":"Verified"},"description":"","default_value":0},"Code-Review":{"approved":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"all":[{"value":2,"date":"2017-11-06 12:56:45.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-2":"Do not submit","-1":"I would prefer that you didn\u0027t submit this"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me, approved"},"description":"","default_value":0},"CI":{"all":[{"value":0,"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}],"values":{"-1":"Fail"," 0":"No score","+1":"Pass"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]}]},"pending_reviewers":{},"reviewer_updates":[],"messages":[{"id":"3c37096c0d82ae2360587ce87b651d6af45efca0","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-10-11 18:34:14.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"cd099688858ae8f8b82df6f9138b2bcb44a35b9e","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-10-17 12:06:17.000000000","message":"Uploaded patch set 2: Patch Set 1 was rebased.","accounts_in_message":[],"_revision_number":2},{"id":"651623f5f31e327bb27bc0a8c4cc9616cb79a89e","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-10-18 17:45:05.000000000","message":"Uploaded patch set 3: Patch Set 2 was rebased.","accounts_in_message":[],"_revision_number":3},{"id":"43be1084e53167dfca6b5ac8a1371c4e9e33e8da","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-10-19 05:36:39.000000000","message":"Uploaded patch set 4: Patch Set 3 was rebased.","accounts_in_message":[],"_revision_number":4},{"id":"56f2a51c5618f4963439189fa1b7351863875301","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-10-20 09:18:28.000000000","message":"Uploaded patch set 5: Patch Set 4 was rebased.","accounts_in_message":[],"_revision_number":5},{"id":"9886b1950d9662264be57af0cfa4b867bea33469","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-10-24 11:53:29.000000000","message":"Uploaded patch set 6: Patch Set 5 was rebased.","accounts_in_message":[],"_revision_number":6},{"id":"1b85741f75ef686ab5a5258d3475e835b3bb39f1","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-11-02 14:35:44.000000000","message":"Uploaded patch set 7: Patch Set 6 was rebased.","accounts_in_message":[],"_revision_number":7},{"id":"877e5672b71a4161f2492ef343e117ec380fd33b","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-11-05 15:34:00.000000000","message":"Uploaded patch set 8: Patch Set 7 was rebased.","accounts_in_message":[],"_revision_number":8},{"id":"fd8f0800c858e6c33a792f84fae5dda2fa1042d0","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-11-05 18:03:51.000000000","message":"Uploaded patch set 9: Patch Set 8 was rebased.","accounts_in_message":[],"_revision_number":9},{"id":"0179460640b5adc7e6f115a7a1cf97b6cddce632","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-11-06 12:55:08.000000000","message":"Uploaded patch set 10: Patch Set 9 was rebased.","accounts_in_message":[],"_revision_number":10},{"id":"1a07a711b29df6a083b2b8e925bd3cd6f90f4ba1","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-11-06 12:56:45.000000000","message":"Patch Set 10: Verified+1 Code-Review+2","accounts_in_message":[],"_revision_number":10},{"id":"ae573d17d36424b015324aaa965b54a8b00219ed","tag":"autogenerated:gerrit:merged","author":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"date":"2017-11-06 12:56:45.000000000","message":"Change has been successfully merged by Corinna Vinschen","accounts_in_message":[],"_revision_number":10}],"current_revision_number":10,"current_revision":"77e37928a74086dddf83576a5cac93c49a6e0e60","revisions":{"21d1da14c73e89267e65fd301802c0a6fda6386b":{"kind":"REWORK","_number":1,"created":"2017-10-11 18:34:14.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/1","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/1","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/1 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/1","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/1 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"f2629dce9e87a81e981d748ec6b9a74fb2e53953","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/f2629dce9e87a81e981d748ec6b9a74fb2e53953"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-10-11 20:31:47.000000000","tz":120},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/21d1da14c73e89267e65fd301802c0a6fda6386b"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/21d1da14c73e89267e65fd301802c0a6fda6386b"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"f2629dce9e87a81e981d748ec6b9a74fb2e53953","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":1,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"f8e0d10e6de64824c02b82a63769d94945ae24a4":{"kind":"TRIVIAL_REBASE","_number":2,"created":"2017-10-17 12:06:17.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/2","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/2","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/2 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/2","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/2 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"bdbec4360fd7ef717ea56b2abcef59e4ca131ea3","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/bdbec4360fd7ef717ea56b2abcef59e4ca131ea3"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-10-17 13:28:59.000000000","tz":120},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/f8e0d10e6de64824c02b82a63769d94945ae24a4"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/f8e0d10e6de64824c02b82a63769d94945ae24a4"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"bdbec4360fd7ef717ea56b2abcef59e4ca131ea3","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":2,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"341570be503b04203fb41d0ae57eb6fbcd6e7d4d":{"kind":"TRIVIAL_REBASE","_number":3,"created":"2017-10-18 17:45:05.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/3","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/3","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/3 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/3","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/3 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"297562e7be57c164b3c3ab20f2563ccebcd619b5","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/297562e7be57c164b3c3ab20f2563ccebcd619b5"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-10-18 19:44:22.000000000","tz":120},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/341570be503b04203fb41d0ae57eb6fbcd6e7d4d"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/341570be503b04203fb41d0ae57eb6fbcd6e7d4d"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"297562e7be57c164b3c3ab20f2563ccebcd619b5","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":3,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"114a2c803d041b9d2f7a2db125188a64982d7b92":{"kind":"TRIVIAL_REBASE","_number":4,"created":"2017-10-19 05:36:39.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/4","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/4","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/4 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/4","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/4 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"5df7ed6d7ee29f21f118e27ed4bba6c0f627001f","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/5df7ed6d7ee29f21f118e27ed4bba6c0f627001f"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-10-19 07:35:13.000000000","tz":120},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/114a2c803d041b9d2f7a2db125188a64982d7b92"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/114a2c803d041b9d2f7a2db125188a64982d7b92"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"5df7ed6d7ee29f21f118e27ed4bba6c0f627001f","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":4,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"fdee484e4bca83ed6612a4da17bedadd765f9a11":{"kind":"TRIVIAL_REBASE","_number":5,"created":"2017-10-20 09:18:28.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/5","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/5","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/5 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/5","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/5 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"37a8412e44ed91750de403e0f05d31551ec6e931","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/37a8412e44ed91750de403e0f05d31551ec6e931"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-10-20 11:17:52.000000000","tz":120},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/fdee484e4bca83ed6612a4da17bedadd765f9a11"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/fdee484e4bca83ed6612a4da17bedadd765f9a11"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"37a8412e44ed91750de403e0f05d31551ec6e931","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":5,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"3632a4ab7c55d145ebd3220058b92845190539b8":{"kind":"TRIVIAL_REBASE","_number":6,"created":"2017-10-24 11:53:29.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/6","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/6","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/6 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/6","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/6 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"e30001d3e21db8f723e6075e6922b1bc9613d786","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/e30001d3e21db8f723e6075e6922b1bc9613d786"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-10-24 13:52:58.000000000","tz":120},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/3632a4ab7c55d145ebd3220058b92845190539b8"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/3632a4ab7c55d145ebd3220058b92845190539b8"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"e30001d3e21db8f723e6075e6922b1bc9613d786","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":6,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"f4735956d1dfe7a9edb0a51f12e91c38080e47d7":{"kind":"TRIVIAL_REBASE","_number":7,"created":"2017-11-02 14:35:44.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/7","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/7","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/7 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/7 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/7 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/7 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/7","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/7 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"dd6bcfb45400f15a9f1d8c242653fdb844c7d2c1","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/dd6bcfb45400f15a9f1d8c242653fdb844c7d2c1"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-11-01 22:04:29.000000000","tz":60},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/f4735956d1dfe7a9edb0a51f12e91c38080e47d7"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/f4735956d1dfe7a9edb0a51f12e91c38080e47d7"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"dd6bcfb45400f15a9f1d8c242653fdb844c7d2c1","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":7,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"49dde2d56ff21f5cb1b9d6864b898245de837f37":{"kind":"TRIVIAL_REBASE","_number":8,"created":"2017-11-05 15:34:00.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/8","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/8","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/8 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/8 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/8 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/8 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/8","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/8 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"fd7a4aed5865acfdebb14e4c906aba41522f41eb","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/fd7a4aed5865acfdebb14e4c906aba41522f41eb"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-11-05 16:32:52.000000000","tz":60},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/49dde2d56ff21f5cb1b9d6864b898245de837f37"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/49dde2d56ff21f5cb1b9d6864b898245de837f37"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"fd7a4aed5865acfdebb14e4c906aba41522f41eb","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":8,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"352f5e9dc019b7f921112d937f4064a3b13fe00e":{"kind":"NO_CHANGE","_number":9,"created":"2017-11-05 18:03:51.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/9","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/9","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/9 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/9 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/9 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/9 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/9","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/9 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"a565b43e7719ee14bf1c8ac640a3da4d8e5464de","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/a565b43e7719ee14bf1c8ac640a3da4d8e5464de"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-11-05 19:00:16.000000000","tz":60},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/352f5e9dc019b7f921112d937f4064a3b13fe00e"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/352f5e9dc019b7f921112d937f4064a3b13fe00e"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"a565b43e7719ee14bf1c8ac640a3da4d8e5464de","is_merged_in_target_branch":false,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":9,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"},"77e37928a74086dddf83576a5cac93c49a6e0e60":{"kind":"TRIVIAL_REBASE","_number":10,"created":"2017-11-06 12:55:08.000000000","uploader":{"_account_id":15402,"name":"Corinna Vinschen","email":"xda@vinschen.de","username":"cvxda","avatars":[{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d32","height":32},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d56","height":56},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d100","height":100},{"url":"https://www.gravatar.com/avatar/7949ca1d70b58f4108733fc739ef8f93.jpg?d\u003didenticon\u0026r\u003dpg\u0026s\u003d120","height":120}]},"ref":"refs/changes/02/192902/10","fetch":{"anonymous http":{"url":"https://github.com/LineageOS/android_kernel_samsung_apq8084","ref":"refs/changes/02/192902/10","commands":{"Branch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/10 \u0026\u0026 git checkout -b change-192902 FETCH_HEAD","Checkout":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/10 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/10 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/10 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/10","Reset To":"git fetch https://github.com/LineageOS/android_kernel_samsung_apq8084 refs/changes/02/192902/10 \u0026\u0026 git reset --hard FETCH_HEAD"}}},"commit":{"parents":[{"commit":"4125bec8f333d71708c14f51d90e17ab82b46caa","subject":"ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/4125bec8f333d71708c14f51d90e17ab82b46caa"}]}],"author":{"name":"Andy Lutomirski","email":"luto@kernel.org","date":"2015-09-04 22:42:45.000000000","tz":-420},"committer":{"name":"Corinna Vinschen","email":"xda@vinschen.de","date":"2017-11-06 13:54:53.000000000","tz":60},"subject":"UPSTREAM: capabilities: ambient capabilities","message":"UPSTREAM: capabilities: ambient capabilities\n\nCredit where credit is due: this idea comes from Christoph Lameter with\na lot of valuable input from Serge Hallyn.  This patch is heavily based\non Christoph\u0027s patch.\n\n\u003d\u003d\u003d\u003d\u003d The status quo \u003d\u003d\u003d\u003d\u003d\n\nOn Linux, there are a number of capabilities defined by the kernel.  To\nperform various privileged tasks, processes can wield capabilities that\nthey hold.\n\nEach task has four capability masks: effective (pE), permitted (pP),\ninheritable (pI), and a bounding set (X).  When the kernel checks for a\ncapability, it checks pE.  The other capability masks serve to modify\nwhat capabilities can be in pE.\n\nAny task can remove capabilities from pE, pP, or pI at any time.  If a\ntask has a capability in pP, it can add that capability to pE and/or pI.\nIf a task has CAP_SETPCAP, then it can add any capability to pI, and it\ncan remove capabilities from X.\n\nTasks are not the only things that can have capabilities; files can also\nhave capabilities.  A file can have no capabilty information at all [1].\nIf a file has capability information, then it has a permitted mask (fP)\nand an inheritable mask (fI) as well as a single effective bit (fE) [2].\nFile capabilities modify the capabilities of tasks that execve(2) them.\n\nA task that successfully calls execve has its capabilities modified for\nthe file ultimately being excecuted (i.e.  the binary itself if that\nbinary is ELF or for the interpreter if the binary is a script.) [3] In\nthe capability evolution rules, for each mask Z, pZ represents the old\nvalue and pZ\u0027 represents the new value.  The rules are:\n\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI)\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : 0)\n  X is unchanged\n\nFor setuid binaries, fP, fI, and fE are modified by a moderately\ncomplicated set of rules that emulate POSIX behavior.  Similarly, if\neuid \u003d\u003d 0 or ruid \u003d\u003d 0, then fP, fI, and fE are modified differently\n(primary, fP and fI usually end up being the full set).  For nonroot\nusers executing binaries with neither setuid nor file caps, fI and fP\nare empty and fE is false.\n\nAs an extra complication, if you execute a process as nonroot and fE is\nset, then the \"secure exec\" rules are in effect: AT_SECURE gets set,\nLD_PRELOAD doesn\u0027t work, etc.\n\nThis is rather messy.  We\u0027ve learned that making any changes is\ndangerous, though: if a new kernel version allows an unprivileged\nprogram to change its security state in a way that persists cross\nexecution of a setuid program or a program with file caps, this\npersistent state is surprisingly likely to allow setuid or file-capped\nprograms to be exploited for privilege escalation.\n\n\u003d\u003d\u003d\u003d\u003d The problem \u003d\u003d\u003d\u003d\u003d\n\nCapability inheritance is basically useless.\n\nIf you aren\u0027t root and you execute an ordinary binary, fI is zero, so\nyour capabilities have no effect whatsoever on pP\u0027.  This means that you\ncan\u0027t usefully execute a helper process or a shell command with elevated\ncapabilities if you aren\u0027t root.\n\nOn current kernels, you can sort of work around this by setting fI to\nthe full set for most or all non-setuid executable files.  This causes\npP\u0027 \u003d pI for nonroot, and inheritance works.  No one does this because\nit\u0027s a PITA and it isn\u0027t even supported on most filesystems.\n\nIf you try this, you\u0027ll discover that every nonroot program ends up with\nsecure exec rules, breaking many things.\n\nThis is a problem that has bitten many people who have tried to use\ncapabilities for anything useful.\n\n\u003d\u003d\u003d\u003d\u003d The proposed change \u003d\u003d\u003d\u003d\u003d\n\nThis patch adds a fifth capability mask called the ambient mask (pA).\npA does what most people expect pI to do.\n\npA obeys the invariant that no bit can ever be set in pA if it is not\nset in both pP and pI.  Dropping a bit from pP or pI drops that bit from\npA.  This ensures that existing programs that try to drop capabilities\nstill do so, with a complication.  Because capability inheritance is so\nbroken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and\nthen calling execve effectively drops capabilities.  Therefore,\nsetresuid from root to nonroot conditionally clears pA unless\nSECBIT_NO_SETUID_FIXUP is set.  Processes that don\u0027t like this can\nre-add bits to pA afterwards.\n\nThe capability evolution rules are changed:\n\n  pA\u0027 \u003d (file caps or setuid or setgid ? 0 : pA)\n  pP\u0027 \u003d (X \u0026 fP) | (pI \u0026 fI) | pA\u0027\n  pI\u0027 \u003d pI\n  pE\u0027 \u003d (fE ? pP\u0027 : pA\u0027)\n  X is unchanged\n\nIf you are nonroot but you have a capability, you can add it to pA.  If\nyou do so, your children get that capability in pA, pP, and pE.  For\nexample, you can set pA \u003d CAP_NET_BIND_SERVICE, and your children can\nautomatically bind low-numbered ports.  Hallelujah!\n\nUnprivileged users can create user namespaces, map themselves to a\nnonzero uid, and create both privileged (relative to their namespace)\nand unprivileged process trees.  This is currently more or less\nimpossible.  Hallelujah!\n\nYou cannot use pA to try to subvert a setuid, setgid, or file-capped\nprogram: if you execute any such program, pA gets cleared and the\nresulting evolution rules are unchanged by this patch.\n\nUsers with nonzero pA are unlikely to unintentionally leak that\ncapability.  If they run programs that try to drop privileges, dropping\nprivileges will still work.\n\nIt\u0027s worth noting that the degree of paranoia in this patch could\npossibly be reduced without causing serious problems.  Specifically, if\nwe allowed pA to persist across executing non-pA-aware setuid binaries\nand across setresuid, then, naively, the only capabilities that could\nleak as a result would be the capabilities in pA, and any attacker\n*already* has those capabilities.  This would make me nervous, though --\nsetuid binaries that tried to privilege-separate might fail to do so,\nand putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have\nunexpected side effects.  (Whether these unexpected side effects would\nbe exploitable is an open question.) I\u0027ve therefore taken the more\nparanoid route.  We can revisit this later.\n\nAn alternative would be to require PR_SET_NO_NEW_PRIVS before setting\nambient capabilities.  I think that this would be annoying and would\nmake granting otherwise unprivileged users minor ambient capabilities\n(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than\nit is with this patch.\n\n\u003d\u003d\u003d\u003d\u003d Footnotes \u003d\u003d\u003d\u003d\u003d\n\n[1] Files that are missing the \"security.capability\" xattr or that have\nunrecognized values for that xattr end up with has_cap set to false.\nThe code that does that appears to be complicated for no good reason.\n\n[2] The libcap capability mask parsers and formatters are dangerously\nmisleading and the documentation is flat-out wrong.  fE is *not* a mask;\nit\u0027s a single bit.  This has probably confused every single person who\nhas tried to use file capabilities.\n\n[3] Linux very confusingly processes both the script and the interpreter\nif applicable, for reasons that elude me.  The results from thinking\nabout a script\u0027s file capabilities and/or setuid bits are mostly\ndiscarded.\n\nPreliminary userspace code is here, but it needs updating:\nhttps://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h\u003dcap_ambient\u0026id\u003d7f5afbd175d2\n\nHere is a test program that can be used to verify the functionality\n(from Christoph):\n\n/*\n * Test program for the ambient capabilities. This program spawns a shell\n * that allows running processes with a defined set of capabilities.\n *\n * (C) 2015 Christoph Lameter \u003ccl@linux.com\u003e\n * Released under: GPL v3 or later.\n *\n *\n * Compile using:\n *\n *\tgcc -o ambient_test ambient_test.o -lcap-ng\n *\n * This program must have the following capabilities to run properly:\n * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE\n *\n * A command to equip the binary with the right caps is:\n *\n *\tsetcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test\n *\n *\n * To get a shell with additional caps that can be inherited by other processes:\n *\n *\t./ambient_test /bin/bash\n *\n *\n * Verifying that it works:\n *\n * From the bash spawed by ambient_test run\n *\n *\tcat /proc/$$/status\n *\n * and have a look at the capabilities.\n */\n\n/*\n * Definitions from the kernel header files. These are going to be removed\n * when the /usr/include files have these defined.\n */\n\nstatic void set_ambient_cap(int cap)\n{\n\tint rc;\n\n\tcapng_get_caps_process();\n\trc \u003d capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\n\tif (rc) {\n\t\tprintf(\"Cannot add inheritable cap\\n\");\n\t\texit(2);\n\t}\n\tcapng_apply(CAPNG_SELECT_CAPS);\n\n\t/* Note the two 0s at the end. Kernel checks for these */\n\tif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\n\t\tperror(\"Cannot set cap\");\n\t\texit(1);\n\t}\n}\n\nint main(int argc, char **argv)\n{\n\tint rc;\n\n\tset_ambient_cap(CAP_NET_RAW);\n\tset_ambient_cap(CAP_NET_ADMIN);\n\tset_ambient_cap(CAP_SYS_NICE);\n\n\tprintf(\"Ambient_test forking shell\\n\");\n\tif (execv(argv[1], argv + 1))\n\t\tperror(\"Cannot exec\");\n\n\treturn 0;\n}\n\nSigned-off-by: Christoph Lameter \u003ccl@linux.com\u003e # Original author\nSigned-off-by: Andy Lutomirski \u003cluto@kernel.org\u003e\nAcked-by: Serge E. Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\nCc: Jonathan Corbet \u003ccorbet@lwn.net\u003e\nCc: Aaron Jones \u003caaronmdjones@gmail.com\u003e\nCc: Ted Ts\u0027o \u003ctytso@mit.edu\u003e\nCc: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nCc: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nCc: Austin S Hemmelgarn \u003cahferroin7@gmail.com\u003e\nCc: Markku Savela \u003cmsa@moth.iki.fi\u003e\nCc: Jarkko Sakkinen \u003cjarkko.sakkinen@linux.intel.com\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: James Morris \u003cjames.l.morris@oracle.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)\n\nBug: 31038224\nChange-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c\nSigned-off-by: Jorge Lucangeli Obes \u003cjorgelo@google.com\u003e\n","web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/77e37928a74086dddf83576a5cac93c49a6e0e60"}],"resolve_conflicts_web_links":[{"name":"GitHub","tooltip":"Open in GitWeb","url":"https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/77e37928a74086dddf83576a5cac93c49a6e0e60"}]},"parents_data":[{"branch_name":"refs/heads/lineage-15.0","commit_id":"4125bec8f333d71708c14f51d90e17ab82b46caa","is_merged_in_target_branch":true,"change_id":"I8f24e1e9f87a6773bd84fb9f173a3725c376c692","change_number":192901,"patch_set_number":10,"change_status":"MERGED"}],"branch":"refs/heads/lineage-15.0"}},"requirements":[],"submit_records":[],"submit_requirements":[]}