Capabilities allow Linux processes to drop most root-like privileges while retaining the subset of privileges that they require to perform their function. The original implementation of capabilities made it impossible for fork+exec'd processes to inherit capabilities unless the files being executed had file capabilities configured. File capabilities, in turn, present a security risk since any process executing a file with file capabilities will be able to gain those capabilities.
Ambient capabilities allow system services launched by init to configure
capabilities in their
.rc files, bringing configuration into
a single file instead of splitting configuration in the
fs_config.c file. This means that for any service launched by
init, you can use the
.rc file associated with the service to
configure capabilities for that service.
Ambient capabilities are the preferred mechanism for setting capabilities
for services launched by init (this method keeps all aspects for the service
configuration in a single
.rc file). We recommend using ambient
capabilities instead of
configuring file system capabilities using the caps
When setting capabilities for services not launched by init,
continue to configure file system capabilities using
Enabling ambient capabilities
To enable ambient capabilities for a given service, use the
capabilities keyword in init. For current init language
details, refer to the
For example, to enable ambient capabilities for the AOSP service
.rc file for the
wificond service sets up the appropriate
user and groups and gives the service the specified capabilities using the
service wificond /system/bin/wificond class main user wifi group wifi net_raw net_admin capabilities NET_RAW NET_ADMIN
The reference implementation is the Android common kernel https://android.googlesource.com/kernel/common/
Required patches have been backported to all the relevant Android common kernel branches.
The main ambient capabilities patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08 has been backported in:
A small security fix https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b7f76ea2ef6739ee484a165ffbac98deb855d3d3 has been backported in:
Bionic unit tests include unit tests for ambient capabilities. Beyond that, using the "capabilities" keyword in Android init for a service, and then checking that the service gets the expected capabilities would allow for runtime testing of this feature.