Implementing Ambient Capabilities

Capabilities allow Linux processes to drop most root-like privileges, while retaining the subset of privileges that they require to perform their function. The original implementation of capabilities made it impossible for fork+exec'd processes to inherit capabilities unless the files being executed had file capabilities configured. File capabilities, in turn, present a security risk since any process executing a file with file capabilities will be able to gain those capabilities.

Ambient capabilities allows system services to configure capabilities in their .rc files, bringing all their configuration into a single file, instead of having to split capabilities configuration to the fs_config.c file.

Reference implementation

The reference implementation is the Android common kernel https://android.googlesource.com/kernel/common/

Required patches

Required patches have been backported to all the relevant Android common kernel branches.

The main ambient capabilities patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08 has been backported in:

A small security fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7f76ea2ef6739ee484a165ffbac98deb855d3d3 has been backported in:

A memory leak fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d6f3328422a3bc56b0d8dd026a5de845d2abfa7, needed for kernels < 3.18, has been backported in:

Validation

Bionic unit tests include unit tests for ambient capabilities. Beyond that, using the "capabilities" keyword in Android init for a service, and then checking that the service gets the expected capabilities would allow for runtime testing of this feature.