From b6b70c23c963831a202ac45b8ea9727293bbd8f3 Mon Sep 17 00:00:00 2001 From: Josh Gao Date: Thu, 4 Jun 2020 17:58:48 -0700 Subject: [PATCH] adbd: remove ifdefs guarding root/secure. The same adbd module prebuilt will get used for both user and userdebug builds in the post-APEX world, so we can't guard functionality with product variable ifdefs anymore. The code that was previously compiled out runs before we drop root, so the increased attack surface essentially consists of an attacker having control over system properties, and that likely implies that we're doomed already (either they have filesystem control, or they have code execution in init). Bug: http://b/158156979 Test: treehugger Change-Id: Ia70d3140189e5212beb813ff719355e30ca5fa04 (cherry picked from commit d076857c4f6c15a70f1186c4214592837f46c57d) --- adb/Android.bp | 11 ----------- adb/daemon/main.cpp | 31 +++++-------------------------- 2 files changed, 5 insertions(+), 37 deletions(-) diff --git a/adb/Android.bp b/adb/Android.bp index f8e5b38e3..cf419737b 100644 --- a/adb/Android.bp +++ b/adb/Android.bp @@ -25,7 +25,6 @@ cc_defaults { "-Wthread-safety", "-Wvla", "-DADB_HOST=1", // overridden by adbd_defaults - "-DALLOW_ADBD_ROOT=0", // overridden by adbd_defaults "-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1", ], cpp_std: "experimental", @@ -81,16 +80,6 @@ cc_defaults { defaults: ["adb_defaults"], cflags: ["-UADB_HOST", "-DADB_HOST=0"], - product_variables: { - debuggable: { - cflags: [ - "-UALLOW_ADBD_ROOT", - "-DALLOW_ADBD_ROOT=1", - "-DALLOW_ADBD_DISABLE_VERITY", - "-DALLOW_ADBD_NO_AUTH", - ], - }, - }, } cc_defaults { diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp index 9e02e89ab..658e24456 100644 --- a/adb/daemon/main.cpp +++ b/adb/daemon/main.cpp @@ -62,23 +62,7 @@ #if defined(__ANDROID__) static const char* root_seclabel = nullptr; -static inline bool is_device_unlocked() { - return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", ""); -} - -static bool should_drop_capabilities_bounding_set() { - if (ALLOW_ADBD_ROOT || is_device_unlocked()) { - if (__android_log_is_debuggable()) { - return false; - } - } - return true; -} - static bool should_drop_privileges() { - // "adb root" not allowed, always drop privileges. - if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true; - // The properties that affect `adb root` and `adb unroot` are ro.secure and // ro.debuggable. In this context the names don't make the expected behavior // particularly obvious. @@ -132,7 +116,7 @@ static void drop_privileges(int server_port) { // Don't listen on a port (default 5037) if running in secure mode. // Don't run as root if running in secure mode. if (should_drop_privileges()) { - const bool should_drop_caps = should_drop_capabilities_bounding_set(); + const bool should_drop_caps = !__android_log_is_debuggable(); if (should_drop_caps) { minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); @@ -224,15 +208,10 @@ int adbd_main(int server_port) { // descriptor will always be open. adbd_cloexec_auth_socket(); -#if defined(__ANDROID_RECOVERY__) - if (is_device_unlocked() || __android_log_is_debuggable()) { - auth_required = false; - } -#elif defined(ALLOW_ADBD_NO_AUTH) - // If ro.adb.secure is unset, default to no authentication required. - auth_required = android::base::GetBoolProperty("ro.adb.secure", false); -#elif defined(__ANDROID__) - if (is_device_unlocked()) { // allows no authentication when the device is unlocked. +#if defined(__ANDROID__) + // If we're on userdebug/eng or the device is unlocked, permit no-authentication. + bool device_unlocked = "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", ""); + if (__android_log_is_debuggable() || device_unlocked) { auth_required = android::base::GetBoolProperty("ro.adb.secure", false); } #endif