Linux capability tests

brief intro

man:

man capabilities

Useful package:

libcap
libcap-ng

Tools:

getcap/setcap
filecap/pscap

capabilities in Android:

• Android O and before: Use both file cap and process cap
  example:
  05-16 09:01:48.161 2824 2824 I XX : get file cap: [vendor/bin/ampservice]
  05-16 09:01:48.162 2824 2824 I XX : vendor/bin/some_service: cap_to_text(): [= cap_sys_nice+ep]

• Android P and after: mainly use process cap in service init config

  service mtpd /system/bin/mtpd
      class main
      socket mtpd stream 600 system system
      user vpn
      group vpn inet
      capabilities NET_ADMIN NET_RAW
      disabled
      oneshot

Please note that Android external/libcap: it’s obsolete, missing ‘cap_audit_read’ in libcap/cap_names.h

cap_t to/from cap_text

cap_from_text(): cap_text

(a). 权限操作符有三种= + -

操作符前面为capability list,如果为空，默认是all
下面两中写法等价
all=p
=p

(b). 操作符后为flags

all=pie
=表示所有cap都没有flags, 即空

举例
“all=pie cap_chown-i cap_kill-pie”
“=pe cap_chown+eip cap_wake_alarm-pie” 等价于 “=ep cap_chown+i cap_wake_alarm-ep”

(c) 合法cap_text限制约束(linux only)：

assertEquals(per_state | inh_state, eff_state)

测试程序

https://github.com/cfig/linux_tools/tree/master/capability_test
可以在linux/Android环境下编译

more reading …

https://training.play-with-docker.com/security-capabilities/