Avoid unnecessarily overriding capabilities

Previously all capabilities were overridden with 0xffffffffffffffff, which is not what normal processes have. This causes capng_change_id() in libcap fail for unknown reason. Align su process's caps with init to fix it.
tiann · Jan 25, 2025 · b1a4a8d · b1a4a8d
1 parent b948976
commit b1a4a8d
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 6 deletions.
diff --git a/kernel/allowlist.c b/kernel/allowlist.c
@@ -66,8 +66,7 @@ static void init_default_profiles()
 	default_root_profile.gid = 0;
 	default_root_profile.groups_count = 1;
 	default_root_profile.groups[0] = 0;
-	memset(&default_root_profile.capabilities, 0xff,
-	       sizeof(default_root_profile.capabilities));
+	default_root_profile.capabilities.effective = 0x000001ffffffffffULL;
 	default_root_profile.namespaces = 0;
 	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
 

diff --git a/kernel/core_hook.c b/kernel/core_hook.c
@@ -162,14 +162,10 @@ void escape_to_root(void)
 		profile->capabilities.effective | CAP_DAC_READ_SEARCH;
 	memcpy(&cred->cap_effective, &cap_for_ksud,
 	       sizeof(cred->cap_effective));
-	memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
-	       sizeof(cred->cap_inheritable));
 	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
 	       sizeof(cred->cap_permitted));
 	memcpy(&cred->cap_bset, &profile->capabilities.effective,
 	       sizeof(cred->cap_bset));
-	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
-	       sizeof(cred->cap_ambient));
 
 	setup_groups(profile, cred);