ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

resolve merge conflicts of 743b0c5 to stage-aosp-master

Browse source 
am: 619875061d

Change-Id: Iafbb322783f81cf16468afafaf97be701aa6c9ef
This commit is contained in:
Elliott Hughes 2016-07-11 21:03:57 +00:00 committed by android-build-merger
commit a7cb85ce8e
5 changed files with 250 additions and 836 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
run-as/Android.mk
View file

@ -1,12 +1,8 @@
LOCAL_PATH:= $(call my-dir) LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS) include $(CLEAR_VARS)
LOCAL_SRC_FILES := run-as.c package.c
LOCAL_SHARED_LIBRARIES := libselinux
LOCAL_MODULE := run-as
LOCAL_CFLAGS := -Werror LOCAL_CFLAGS := -Werror
LOCAL_MODULE := run-as
LOCAL_SHARED_LIBRARIES := libselinux libpackagelistparser
LOCAL_SRC_FILES := run-as.cpp
include $(BUILD_EXECUTABLE) include $(BUILD_EXECUTABLE)

560
run-as/package.c
View file

@ -1,560 +0,0 @@
/*
**
** Copyright 2010, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <private/android_filesystem_config.h>
#include "package.h"
/*
* WARNING WARNING WARNING WARNING
*
* The following code runs as root on production devices, before
* the run-as command has dropped the uid/gid. Hence be very
* conservative and keep in mind the following:
*
* - Performance does not matter here, clarity and safety of the code
* does however. Documentation is a must.
*
* - Avoid calling C library functions with complex implementations
* like malloc() and printf(). You want to depend on simple system
* calls instead, which behaviour is not going to be altered in
* unpredictible ways by environment variables or system properties.
*
* - Do not trust user input and/or the filesystem whenever possible.
*
*/
/* The file containing the list of installed packages on the system */
#define PACKAGES_LIST_FILE "/data/system/packages.list"
/* Copy 'srclen' string bytes from 'src' into buffer 'dst' of size 'dstlen'
* This function always zero-terminate the destination buffer unless
* 'dstlen' is 0, even in case of overflow.
* Returns a pointer into the src string, leaving off where the copy
* has stopped. The copy will stop when dstlen, srclen or a null
* character on src has been reached.
*/
static const char*
string_copy(char* dst, size_t dstlen, const char* src, size_t srclen)
{
const char* srcend = src + srclen;
const char* dstend = dst + dstlen;
if (dstlen == 0)
return src;
dstend--; /* make room for terminating zero */
while (dst < dstend && src < srcend && *src != '\0')
*dst++ = *src++;
*dst = '\0'; /* zero-terminate result */
return src;
}
/* Open 'filename' and map it into our address-space.
* Returns buffer address, or NULL on error
* On exit, *filesize will be set to the file's size, or 0 on error
*/
static void*
map_file(const char* filename, size_t* filesize)
{
int fd, ret, old_errno;
struct stat st;
size_t length = 0;
void* address = NULL;
gid_t oldegid;
*filesize = 0;
/*
* Temporarily switch effective GID to allow us to read
* the packages file
*/
oldegid = getegid();
if (setegid(AID_PACKAGE_INFO) < 0) {
return NULL;
}
/* open the file for reading */
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
if (fd < 0) {
return NULL;
}
/* restore back to our old egid */
if (setegid(oldegid) < 0) {
goto EXIT;
}
/* get its size */
ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
if (ret < 0)
goto EXIT;
/* Ensure that the file is owned by the system user */
if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) {
goto EXIT;
}
/* Ensure that the file has sane permissions */
if ((st.st_mode & S_IWOTH) != 0) {
goto EXIT;
}
/* Ensure that the size is not ridiculously large */
length = (size_t)st.st_size;
if ((off_t)length != st.st_size) {
errno = ENOMEM;
goto EXIT;
}
/* Memory-map the file now */
do {
address = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, 0);
} while (address == MAP_FAILED && errno == EINTR);
if (address == MAP_FAILED) {
address = NULL;
goto EXIT;
}
/* We're good, return size */
*filesize = length;
EXIT:
/* close the file, preserve old errno for better diagnostics */
old_errno = errno;
close(fd);
errno = old_errno;
return address;
}
/* unmap the file, but preserve errno */
static void
unmap_file(void* address, size_t size)
{
int old_errno = errno;
TEMP_FAILURE_RETRY(munmap(address, size));
errno = old_errno;
}
/* Check that a given directory:
* - exists
* - is owned by a given uid/gid
* - is a real directory, not a symlink
* - isn't readable or writable by others
*
* Return 0 on success, or -1 on error.
* errno is set to EINVAL in case of failed check.
*/
static int
check_directory_ownership(const char* path, uid_t uid)
{
int ret;
struct stat st;
do {
ret = lstat(path, &st);
} while (ret < 0 && errno == EINTR);
if (ret < 0)
return -1;
/* /data/user/0 is a known safe symlink */
if (strcmp("/data/user/0", path) == 0)
return 0;
/* must be a real directory, not a symlink */
if (!S_ISDIR(st.st_mode))
goto BAD;
/* must be owned by specific uid/gid */
if (st.st_uid != uid || st.st_gid != uid)
goto BAD;
/* must not be readable or writable by others */
if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0)
goto BAD;
/* everything ok */
return 0;
BAD:
errno = EINVAL;
return -1;
}
/* This function is used to check the data directory path for safety.
* We check that every sub-directory is owned by the 'system' user
* and exists and is not a symlink. We also check that the full directory
* path is properly owned by the user ID.
*
* Return 0 on success, -1 on error.
*/
int
check_data_path(const char* dataPath, uid_t uid)
{
int nn;
/* the path should be absolute */
if (dataPath[0] != '/') {
errno = EINVAL;
return -1;
}
/* look for all sub-paths, we do that by finding
* directory separators in the input path and
* checking each sub-path independently
*/
for (nn = 1; dataPath[nn] != '\0'; nn++)
{
char subpath[PATH_MAX];
/* skip non-separator characters */
if (dataPath[nn] != '/')
continue;
/* handle trailing separator case */
if (dataPath[nn+1] == '\0') {
break;
}
/* found a separator, check that dataPath is not too long. */
if (nn >= (int)(sizeof subpath)) {
errno = EINVAL;
return -1;
}
/* reject any '..' subpath */
if (nn >= 3 &&
dataPath[nn-3] == '/' &&
dataPath[nn-2] == '.' &&
dataPath[nn-1] == '.') {
errno = EINVAL;
return -1;
}
/* copy to 'subpath', then check ownership */
memcpy(subpath, dataPath, nn);
subpath[nn] = '\0';
if (check_directory_ownership(subpath, AID_SYSTEM) < 0)
return -1;
}
/* All sub-paths were checked, now verify that the full data
* directory is owned by the application uid
*/
if (check_directory_ownership(dataPath, uid) < 0)
return -1;
/* all clear */
return 0;
}
/* Return TRUE iff a character is a space or tab */
static inline int
is_space(char c)
{
return (c == ' ' || c == '\t');
}
/* Skip any space or tab character from 'p' until 'end' is reached.
* Return new position.
*/
static const char*
skip_spaces(const char* p, const char* end)
{
while (p < end && is_space(*p))
p++;
return p;
}
/* Skip any non-space and non-tab character from 'p' until 'end'.
* Return new position.
*/
static const char*
skip_non_spaces(const char* p, const char* end)
{
while (p < end && !is_space(*p))
p++;
return p;
}
/* Find the first occurence of 'ch' between 'p' and 'end'
* Return its position, or 'end' if none is found.
*/
static const char*
find_first(const char* p, const char* end, char ch)
{
while (p < end && *p != ch)
p++;
return p;
}
/* Check that the non-space string starting at 'p' and eventually
* ending at 'end' equals 'name'. Return new position (after name)
* on success, or NULL on failure.
*
* This function fails is 'name' is NULL, empty or contains any space.
*/
static const char*
compare_name(const char* p, const char* end, const char* name)
{
/* 'name' must not be NULL or empty */
if (name == NULL || name[0] == '\0' || p == end)
return NULL;
/* compare characters to those in 'name', excluding spaces */
while (*name) {
/* note, we don't check for *p == '\0' since
* it will be caught in the next conditional.
*/
if (p >= end || is_space(*p))
goto BAD;
if (*p != *name)
goto BAD;
p++;
name++;
}
/* must be followed by end of line or space */
if (p < end && !is_space(*p))
goto BAD;
return p;
BAD:
return NULL;
}
/* Parse one or more whitespace characters starting from '*pp'
* until 'end' is reached. Updates '*pp' on exit.
*
* Return 0 on success, -1 on failure.
*/
static int
parse_spaces(const char** pp, const char* end)
{
const char* p = *pp;
if (p >= end || !is_space(*p)) {
errno = EINVAL;
return -1;
}
p = skip_spaces(p, end);
*pp = p;
return 0;
}
/* Parse a positive decimal number starting from '*pp' until 'end'
* is reached. Adjust '*pp' on exit. Return decimal value or -1
* in case of error.
*
* If the value is larger than INT_MAX, -1 will be returned,
* and errno set to EOVERFLOW.
*
* If '*pp' does not start with a decimal digit, -1 is returned
* and errno set to EINVAL.
*/
static int
parse_positive_decimal(const char** pp, const char* end)
{
const char* p = *pp;
int value = 0;
int overflow = 0;
if (p >= end || *p < '0' || *p > '9') {
errno = EINVAL;
return -1;
}
while (p < end) {
int ch = *p;
unsigned d = (unsigned)(ch - '0');
int val2;
if (d >= 10U) /* d is unsigned, no lower bound check */
break;
val2 = value*10 + (int)d;
if (val2 < value)
overflow = 1;
value = val2;
p++;
}
*pp = p;
if (overflow) {
errno = EOVERFLOW;
value = -1;
}
return value;
}
/* Read the system's package database and extract information about
* 'pkgname'. Return 0 in case of success, or -1 in case of error.
*
* If the package is unknown, return -1 and set errno to ENOENT
* If the package database is corrupted, return -1 and set errno to EINVAL
*/
int
get_package_info(const char* pkgName, uid_t userId, PackageInfo *info)
{
char* buffer;
size_t buffer_len;
const char* p;
const char* buffer_end;
int result = -1;
info->uid = 0;
info->isDebuggable = 0;
info->dataDir[0] = '\0';
info->seinfo[0] = '\0';
buffer = map_file(PACKAGES_LIST_FILE, &buffer_len);
if (buffer == NULL)
return -1;
p = buffer;
buffer_end = buffer + buffer_len;
/* expect the following format on each line of the control file:
*
* <pkgName> <uid> <debugFlag> <dataDir> <seinfo>
*
* where:
* <pkgName> is the package's name
* <uid> is the application-specific user Id (decimal)
* <debugFlag> is 1 if the package is debuggable, or 0 otherwise
* <dataDir> is the path to the package's data directory (e.g. /data/data/com.example.foo)
* <seinfo> is the seinfo label associated with the package
*
* The file is generated in com.android.server.PackageManagerService.Settings.writeLP()
*/
while (p < buffer_end) {
/* find end of current line and start of next one */
const char* end = find_first(p, buffer_end, '\n');
const char* next = (end < buffer_end) ? end + 1 : buffer_end;
const char* q;
int uid, debugFlag;
/* first field is the package name */
p = compare_name(p, end, pkgName);
if (p == NULL)
goto NEXT_LINE;
/* skip spaces */
if (parse_spaces(&p, end) < 0)
goto BAD_FORMAT;
/* second field is the pid */
uid = parse_positive_decimal(&p, end);
if (uid < 0)
return -1;
info->uid = (uid_t) uid;
/* skip spaces */
if (parse_spaces(&p, end) < 0)
goto BAD_FORMAT;
/* third field is debug flag (0 or 1) */
debugFlag = parse_positive_decimal(&p, end);
switch (debugFlag) {
case 0:
info->isDebuggable = 0;
break;
case 1:
info->isDebuggable = 1;
break;
default:
goto BAD_FORMAT;
}
/* skip spaces */
if (parse_spaces(&p, end) < 0)
goto BAD_FORMAT;
/* fourth field is data directory path and must not contain
* spaces.
*/
q = skip_non_spaces(p, end);
if (q == p)
goto BAD_FORMAT;
/* If userId == 0 (i.e. user is device owner) we can use dataDir value
* from packages.list, otherwise compose data directory as
* /data/user/$uid/$packageId
*/
if (userId == 0) {
p = string_copy(info->dataDir, sizeof info->dataDir, p, q - p);
} else {
snprintf(info->dataDir,
sizeof info->dataDir,
"/data/user/%d/%s",
userId,
pkgName);
p = q;
}
/* skip spaces */
if (parse_spaces(&p, end) < 0)
goto BAD_FORMAT;
/* fifth field is the seinfo string */
q = skip_non_spaces(p, end);
if (q == p)
goto BAD_FORMAT;
string_copy(info->seinfo, sizeof info->seinfo, p, q - p);
/* Ignore the rest */
result = 0;
goto EXIT;
NEXT_LINE:
p = next;
}
/* the package is unknown */
errno = ENOENT;
result = -1;
goto EXIT;
BAD_FORMAT:
errno = EINVAL;
result = -1;
EXIT:
unmap_file(buffer, buffer_len);
return result;
}

44
run-as/package.h
View file

@ -1,44 +0,0 @@
/*
**
** Copyright 2010, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#ifndef RUN_AS_PACKAGE_H
#define RUN_AS_PACKAGE_H
#include <limits.h>
#include <sys/types.h>
typedef enum {
PACKAGE_IS_DEBUGGABLE = 0,
PACKAGE_IS_NOT_DEBUGGABLE,
PACKAGE_IS_UNKNOWN,
} PackageStatus;
typedef struct {
uid_t uid;
char isDebuggable;
char dataDir[PATH_MAX];
char seinfo[PATH_MAX];
} PackageInfo;
/* see documentation in package.c for these functions */
extern int get_package_info(const char* packageName,
uid_t userId,
PackageInfo* info);
extern int check_data_path(const char* dataDir, uid_t uid);
#endif /* RUN_AS_PACKAGE_H */

224
run-as/run-as.c
View file

@ -1,224 +0,0 @@
/*
**
** Copyright 2010, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#define PROGNAME "run-as"
#define LOG_TAG PROGNAME
#include <dirent.h>
#include <errno.h>
#include <paths.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/cdefs.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>
#include <private/android_filesystem_config.h>
#include <selinux/android.h>
#include "package.h"
/*
* WARNING WARNING WARNING WARNING
*
* This program runs with CAP_SETUID and CAP_SETGID capabilities on Android
* production devices. Be very conservative when modifying it to avoid any
* serious security issue. Keep in mind the following:
*
* - This program should only run for the 'root' or 'shell' users
*
* - Avoid anything that is more complex than simple system calls
* until the uid/gid has been dropped to that of a normal user
* or you are sure to exit.
*
* This avoids depending on environment variables, system properties
* and other external factors that may affect the C library in
* unpredictable ways.
*
* - Do not trust user input and/or the filesystem whenever possible.
*
* Read README.TXT for more details.
*
*
*
* The purpose of this program is to run a command as a specific
* application user-id. Typical usage is:
*
* run-as <package-name> <command> <args>
*
* The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
* capabilities, but will check the following:
*
* - that it is invoked from the 'shell' or 'root' user (abort otherwise)
* - that '<package-name>' is the name of an installed and debuggable package
* - that the package's data directory is well-formed (see package.c)
*
* If so, it will drop to the application's user id / group id, cd to the
* package's data directory, then run the command there.
*
* NOTE: In the future it might not be possible to cd to the package's data
* directory under that package's user id / group id, in which case this
* utility will need to be changed accordingly.
*
* This can be useful for a number of different things on production devices:
*
* - Allow application developers to look at their own applicative data
* during development.
*
* - Run the 'gdbserver' binary executable to allow native debugging
*/
__noreturn static void
panic(const char* format, ...)
{
va_list args;
int e = errno;
fprintf(stderr, "%s: ", PROGNAME);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
exit(e ? -e : 1);
}
static void
usage(void)
{
panic("Usage:\n " PROGNAME " <package-name> [--user <uid>] <command> [<args>]\n");
}
int main(int argc, char **argv)
{
const char* pkgname;
uid_t myuid, uid, gid, userAppId = 0;
int commandArgvOfs = 2, userId = 0;
PackageInfo info;
struct __user_cap_header_struct capheader;
struct __user_cap_data_struct capdata[2];
/* check arguments */
if (argc < 2) {
usage();
}
/* check userid of caller - must be 'shell' or 'root' */
myuid = getuid();
if (myuid != AID_SHELL && myuid != AID_ROOT) {
panic("only 'shell' or 'root' users can run this program\n");
}
memset(&capheader, 0, sizeof(capheader));
memset(&capdata, 0, sizeof(capdata));
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
if (capset(&capheader, &capdata[0]) < 0) {
panic("Could not set capabilities: %s\n", strerror(errno));
}
pkgname = argv[1];
/* get user_id from command line if provided */
if ((argc >= 4) && !strcmp(argv[2], "--user")) {
userId = atoi(argv[3]);
if (userId < 0)
panic("Negative user id %d is provided\n", userId);
commandArgvOfs += 2;
}
/* retrieve package information from system (does setegid) */
if (get_package_info(pkgname, userId, &info) < 0) {
panic("Package '%s' is unknown\n", pkgname);
}
/* verify that user id is not too big. */
if ((UID_MAX - info.uid) / AID_USER < (uid_t)userId) {
panic("User id %d is too big\n", userId);
}
/* calculate user app ID. */
userAppId = (AID_USER * userId) + info.uid;
/* reject system packages */
if (userAppId < AID_APP) {
panic("Package '%s' is not an application\n", pkgname);
}
/* reject any non-debuggable package */
if (!info.isDebuggable) {
panic("Package '%s' is not debuggable\n", pkgname);
}
/* check that the data directory path is valid */
if (check_data_path(info.dataDir, userAppId) < 0) {
panic("Package '%s' has corrupt installation\n", pkgname);
}
/* Ensure that we change all real/effective/saved IDs at the
* same time to avoid nasty surprises.
*/
uid = gid = userAppId;
if(setresgid(gid,gid,gid) || setresuid(uid,uid,uid)) {
panic("Permission denied\n");
}
/* Required if caller has uid and gid all non-zero */
memset(&capdata, 0, sizeof(capdata));
if (capset(&capheader, &capdata[0]) < 0) {
panic("Could not clear all capabilities: %s\n", strerror(errno));
}
if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) {
panic("Could not set SELinux security context: %s\n", strerror(errno));
}
// cd into the data directory, and set $HOME correspondingly.
if (TEMP_FAILURE_RETRY(chdir(info.dataDir)) < 0) {
panic("Could not cd to package's data directory: %s\n", strerror(errno));
}
setenv("HOME", info.dataDir, 1);
// Reset parts of the environment, like su would.
setenv("PATH", _PATH_DEFPATH, 1);
unsetenv("IFS");
// Set the user-specific parts for this user.
struct passwd* pw = getpwuid(uid);
setenv("LOGNAME", pw->pw_name, 1);
setenv("SHELL", pw->pw_shell, 1);
setenv("USER", pw->pw_name, 1);
/* User specified command for exec. */
if ((argc >= commandArgvOfs + 1) &&
(execvp(argv[commandArgvOfs], argv+commandArgvOfs) < 0)) {
panic("exec failed for %s: %s\n", argv[commandArgvOfs], strerror(errno));
}
/* Default exec shell. */
execlp("/system/bin/sh", "sh", NULL);
panic("exec failed: %s\n", strerror(errno));
}

246
run-as/run-as.cpp Normal file
View file

@ -0,0 +1,246 @@
/*
* Copyright (C) 2010 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <errno.h>
#include <error.h>
#include <paths.h>
#include <pwd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <packagelistparser/packagelistparser.h>
#include <private/android_filesystem_config.h>
#include <selinux/android.h>
// The purpose of this program is to run a command as a specific
// application user-id. Typical usage is:
//
// run-as <package-name> <command> <args>
//
// The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
// capabilities, but will check the following:
//
// - that it is invoked from the 'shell' or 'root' user (abort otherwise)
// - that '<package-name>' is the name of an installed and debuggable package
// - that the package's data directory is well-formed
//
// If so, it will drop to the application's user id / group id, cd to the
// package's data directory, then run the command there.
//
// This can be useful for a number of different things on production devices:
//
// - Allow application developers to look at their own application data
// during development.
//
// - Run the 'gdbserver' binary executable to allow native debugging
//
static bool packagelist_parse_callback(pkg_info* this_package, void* userdata) {
pkg_info* p = reinterpret_cast<pkg_info*>(userdata);
if (strcmp(p->name, this_package->name) == 0) {
*p = *this_package;
return false; // Stop searching.
}
packagelist_free(this_package);
return true; // Keep searching.
}
static bool check_directory(const char* path, uid_t uid) {
struct stat st;
if (TEMP_FAILURE_RETRY(lstat(path, &st)) == -1) return false;
// /data/user/0 is a known safe symlink.
if (strcmp("/data/user/0", path) == 0) return true;
// Must be a real directory, not a symlink.
if (!S_ISDIR(st.st_mode)) return false;
// Must be owned by specific uid/gid.
if (st.st_uid != uid || st.st_gid != uid) return false;
// Must not be readable or writable by others.
if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0) return false;
return true;
}
// This function is used to check the data directory path for safety.
// We check that every sub-directory is owned by the 'system' user
// and exists and is not a symlink. We also check that the full directory
// path is properly owned by the user ID.
static bool check_data_path(const char* data_path, uid_t uid) {
// The path should be absolute.
if (data_path[0] != '/') return false;
// Look for all sub-paths, we do that by finding
// directory separators in the input path and
// checking each sub-path independently.
for (int nn = 1; data_path[nn] != '\0'; nn++) {
char subpath[PATH_MAX];
/* skip non-separator characters */
if (data_path[nn] != '/') continue;
/* handle trailing separator case */
if (data_path[nn+1] == '\0') break;
/* found a separator, check that data_path is not too long. */
if (nn >= (int)(sizeof subpath)) return false;
/* reject any '..' subpath */
if (nn >= 3 &&
data_path[nn-3] == '/' &&
data_path[nn-2] == '.' &&
data_path[nn-1] == '.') {
return false;
}
/* copy to 'subpath', then check ownership */
memcpy(subpath, data_path, nn);
subpath[nn] = '\0';
if (!check_directory(subpath, AID_SYSTEM)) return false;
}
// All sub-paths were checked, now verify that the full data
// directory is owned by the application uid.
return check_directory(data_path, uid);
}
int main(int argc, char* argv[]) {
// Check arguments.
if (argc < 2) {
error(1, 0, "usage: run-as <package-name> [--user <uid>] <command> [<args>]\n");
}
// This program runs with CAP_SETUID and CAP_SETGID capabilities on Android
// production devices. Check user id of caller --- must be 'shell' or 'root'.
if (getuid() != AID_SHELL && getuid() != AID_ROOT) {
error(1, 0, "only 'shell' or 'root' users can run this program");
}
__user_cap_header_struct capheader;
__user_cap_data_struct capdata[2];
memset(&capheader, 0, sizeof(capheader));
memset(&capdata, 0, sizeof(capdata));
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
if (capset(&capheader, &capdata[0]) == -1) {
error(1, errno, "couldn't set capabilities");
}
char* pkgname = argv[1];
int cmd_argv_offset = 2;
// Get user_id from command line if provided.
int userId = 0;
if ((argc >= 4) && !strcmp(argv[2], "--user")) {
userId = atoi(argv[3]);
if (userId < 0) error(1, 0, "negative user id: %d", userId);
cmd_argv_offset += 2;
}
// Retrieve package information from system, switching egid so we can read the file.
gid_t old_egid = getegid();
if (setegid(AID_PACKAGE_INFO) == -1) error(1, errno, "setegid(AID_PACKAGE_INFO) failed");
pkg_info info;
memset(&info, 0, sizeof(info));
info.name = pkgname;
if (!packagelist_parse(packagelist_parse_callback, &info)) {
error(1, errno, "packagelist_parse failed");
}
if (info.uid == 0) {
error(1, 0, "unknown package: %s", pkgname);
}
if (setegid(old_egid) == -1) error(1, errno, "couldn't restore egid");
// Verify that user id is not too big.
if ((UID_MAX - info.uid) / AID_USER < (uid_t)userId) {
error(1, 0, "user id too big: %d", userId);
}
// Calculate user app ID.
uid_t userAppId = (AID_USER * userId) + info.uid;
// Reject system packages.
if (userAppId < AID_APP) {
error(1, 0, "package not an application: %s", pkgname);
}
// Reject any non-debuggable package.
if (!info.debuggable) {
error(1, 0, "package not debuggable: %s", pkgname);
}
// Check that the data directory path is valid.
if (!check_data_path(info.data_dir, userAppId)) {
error(1, 0, "package has corrupt installation: %s", pkgname);
}
// Ensure that we change all real/effective/saved IDs at the
// same time to avoid nasty surprises.
uid_t uid = userAppId;
uid_t gid = userAppId;
if (setresgid(gid, gid, gid) == -1) {
error(1, errno, "setresgid failed");
}
if (setresuid(uid, uid, uid) == -1) {
error(1, errno, "setresuid failed");
}
// Required if caller has uid and gid all non-zero.
memset(&capdata, 0, sizeof(capdata));
if (capset(&capheader, &capdata[0]) == -1) {
error(1, errno, "couldn't clear all capabilities");
}
if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) {
error(1, errno, "couldn't set SELinux security context");
}
// cd into the data directory, and set $HOME correspondingly.
if (TEMP_FAILURE_RETRY(chdir(info.data_dir)) == -1) {
error(1, errno, "couldn't chdir to package's data directory");
}
setenv("HOME", info.data_dir, 1);
// Reset parts of the environment, like su would.
setenv("PATH", _PATH_DEFPATH, 1);
unsetenv("IFS");
// Set the user-specific parts for this user.
passwd* pw = getpwuid(uid);
setenv("LOGNAME", pw->pw_name, 1);
setenv("SHELL", pw->pw_shell, 1);
setenv("USER", pw->pw_name, 1);
// User specified command for exec.
if ((argc >= cmd_argv_offset + 1) &&
(execvp(argv[cmd_argv_offset], argv+cmd_argv_offset) == -1)) {
error(1, errno, "exec failed for %s", argv[cmd_argv_offset]);
}
// Default exec shell.
execlp(_PATH_BSHELL, "sh", NULL);
error(1, errno, "exec failed");
}