Set NO_NEW_PRIVS on zygote init

When app_process/zygote starts, make sure PR_SET_NO_NEW_PRIVS is set.
This prevents zygote spawned apps from acquiring new privileges
on exec.

In particular, this allows the CTS test
android.os.cts.SecurityFeaturesTest#testNoNewPrivs() to pass if ART is set
as the default runtime.

Change-Id: I81139cda999c7b1430242561aad28f566e9b6da0

1 files changed, 10 insertions, 0 deletions

diff --git a/cmds/app_process/app_main.cpp b/cmds/app_process/app_main.cpp
index 3481437..82d13a6 100644
--- a/cmds/app_process/app_main.cpp
+++ b/cmds/app_process/app_main.cpp
@@ -19,6 +19,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <sys/prctl.h>
 
 namespace android {
 
@@ -146,6 +147,15 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";
 
 int main(int argc, char* const argv[])
 {
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+        // Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
+        // EINVAL. Don't die on such kernels.
+        if (errno != EINVAL) {
+            LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
+            return 12;
+        }
+    }
+
     AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
     // Process command line arguments
     // ignore argv[0]