Avoid unnecessarily overriding capabilities

Previously all capabilities were overridden with 0xffffffffffffffff, which is not what normal processes have. This causes capng_change_id() in libcap fail for unknown reason. Align su process's caps with init to fix it. This fixes https://gitlab.com/kalilinux/nethunter/apps/kali-nethunter-app/-/issues/378.
tiann · Jan 25, 2025 · 9fc5a10 · 9fc5a10
1 parent b948976
commit 9fc5a10
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 6 deletions.
diff --git a/kernel/allowlist.c b/kernel/allowlist.c
@@ -66,8 +66,8 @@ static void init_default_profiles()
 	default_root_profile.gid = 0;
 	default_root_profile.groups_count = 1;
 	default_root_profile.groups[0] = 0;
-	memset(&default_root_profile.capabilities, 0xff,
-	       sizeof(default_root_profile.capabilities));
+	// Align with https://github.com/aosp-mirror/platform_system_core/blob/main/init/capabilities.cpp
+	default_root_profile.capabilities.effective = 0x000001ffffffffffULL;
 	default_root_profile.namespaces = 0;
 	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
 

diff --git a/kernel/core_hook.c b/kernel/core_hook.c
@@ -162,14 +162,10 @@ void escape_to_root(void)
 		profile->capabilities.effective | CAP_DAC_READ_SEARCH;
 	memcpy(&cred->cap_effective, &cap_for_ksud,
 	       sizeof(cred->cap_effective));
-	memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
-	       sizeof(cred->cap_inheritable));
 	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
 	       sizeof(cred->cap_permitted));
 	memcpy(&cred->cap_bset, &profile->capabilities.effective,
 	       sizeof(cred->cap_bset));
-	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
-	       sizeof(cred->cap_ambient));
 
 	setup_groups(profile, cred);