Merge "init: Read previous state of securebits before modifying" am: c10e14110a Change-Id: I0a9b2dc97ebbc449288de2ce3e2745a1f60a4372

commit: acf7fa66f23e7f28a38c98b133b56803731fb195 [log] [tgz]
author: Luis Hector Chavez <lhchavez@google.com> Sat Jul 01 00:30:42 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Sat Jul 01 00:30:42 2017 +0000
tree: 2ca06b05bdf05daffeec798de03178ef8ed7ac9b
parent: 7df84b694650c45bf04b8fba2519148fd968b1d5 [diff]
parent: 8b3ab5629f3497529a4b90b1722478e3ec7dfc5b [diff]
diff --git a/init/service.cpp b/init/service.cpp
index f9a452b..f2e5d22 100644
--- a/init/service.cpp
+++ b/init/service.cpp

@@ -235,8 +235,15 @@
 void Service::SetProcessAttributes() {
     // Keep capabilites on uid change.
     if (capabilities_.any() && uid_) {
-        if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS | SECBIT_KEEP_CAPS_LOCKED) != 0) {
-            PLOG(FATAL) << "prtcl(PR_SET_KEEPCAPS) failed for " << name_;
+        // If Android is running in a container, some securebits might already
+        // be locked, so don't change those.
+        int64_t securebits = prctl(PR_GET_SECUREBITS);
+        if (securebits == -1) {
+            PLOG(FATAL) << "prctl(PR_GET_SECUREBITS) failed for " << name_;
+        }
+        securebits |= SECBIT_KEEP_CAPS | SECBIT_KEEP_CAPS_LOCKED;
+        if (prctl(PR_SET_SECUREBITS, securebits) != 0) {
+            PLOG(FATAL) << "prctl(PR_SET_SECUREBITS) failed for " << name_;
         }
     }
commit	acf7fa66f23e7f28a38c98b133b56803731fb195	[log] [tgz]
author	Luis Hector Chavez <lhchavez@google.com>	Sat Jul 01 00:30:42 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Sat Jul 01 00:30:42 2017 +0000
tree	2ca06b05bdf05daffeec798de03178ef8ed7ac9b
parent	7df84b694650c45bf04b8fba2519148fd968b1d5 [diff]
parent	8b3ab5629f3497529a4b90b1722478e3ec7dfc5b [diff]