• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2010 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <errno.h>
18 #include <error.h>
19 #include <paths.h>
20 #include <pwd.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <sys/capability.h>
24 #include <sys/stat.h>
25 #include <sys/types.h>
26 #include <unistd.h>
27 
28 #include <string>
29 #include <vector>
30 
31 #include <libminijail.h>
32 #include <scoped_minijail.h>
33 
34 #include <android-base/properties.h>
35 #include <packagelistparser/packagelistparser.h>
36 #include <private/android_filesystem_config.h>
37 #include <selinux/android.h>
38 
39 // The purpose of this program is to run a command as a specific
40 // application user-id. Typical usage is:
41 //
42 //   run-as <package-name> <command> <args>
43 //
44 //  The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
45 //  capabilities, but will check the following:
46 //
47 //  - that the ro.boot.disable_runas property is not set
48 //  - that it is invoked from the 'shell' or 'root' user (abort otherwise)
49 //  - that '<package-name>' is the name of an installed and debuggable package
50 //  - that the package's data directory is well-formed
51 //
52 //  If so, it will drop to the application's user id / group id, cd to the
53 //  package's data directory, then run the command there.
54 //
55 //  This can be useful for a number of different things on production devices:
56 //
57 //  - Allow application developers to look at their own application data
58 //    during development.
59 //
60 //  - Run the 'gdbserver' binary executable to allow native debugging
61 //
62 
packagelist_parse_callback(pkg_info * this_package,void * userdata)63 static bool packagelist_parse_callback(pkg_info* this_package, void* userdata) {
64   pkg_info* p = reinterpret_cast<pkg_info*>(userdata);
65   if (strcmp(p->name, this_package->name) == 0) {
66     *p = *this_package;
67     return false; // Stop searching.
68   }
69   packagelist_free(this_package);
70   return true; // Keep searching.
71 }
72 
check_directory(const char * path,uid_t uid)73 static void check_directory(const char* path, uid_t uid) {
74   struct stat st;
75   if (TEMP_FAILURE_RETRY(lstat(path, &st)) == -1) {
76     error(1, errno, "couldn't stat %s", path);
77   }
78 
79   // /data/user/0 is a known safe symlink.
80   if (strcmp("/data/user/0", path) == 0) return;
81 
82   // Must be a real directory, not a symlink.
83   if (!S_ISDIR(st.st_mode)) {
84     error(1, 0, "%s not a directory: %o", path, st.st_mode);
85   }
86 
87   // Must be owned by specific uid/gid.
88   if (st.st_uid != uid || st.st_gid != uid) {
89     error(1, 0, "%s has wrong owner: %d/%d, not %d", path, st.st_uid, st.st_gid, uid);
90   }
91 
92   // Must not be readable or writable by others.
93   if ((st.st_mode & (S_IROTH | S_IWOTH)) != 0) {
94     error(1, 0, "%s readable or writable by others: %o", path, st.st_mode);
95   }
96 }
97 
98 // This function is used to check the data directory path for safety.
99 // We check that every sub-directory is owned by the 'system' user
100 // and exists and is not a symlink. We also check that the full directory
101 // path is properly owned by the user ID.
check_data_path(const char * package_name,const char * data_path,uid_t uid)102 static void check_data_path(const char* package_name, const char* data_path, uid_t uid) {
103   // The path should be absolute.
104   if (data_path[0] != '/') {
105     error(1, 0, "%s data path not absolute: %s", package_name, data_path);
106   }
107 
108   // Look for all sub-paths, we do that by finding
109   // directory separators in the input path and
110   // checking each sub-path independently.
111   for (int nn = 1; data_path[nn] != '\0'; nn++) {
112     char subpath[PATH_MAX];
113 
114     /* skip non-separator characters */
115     if (data_path[nn] != '/') continue;
116 
117     /* handle trailing separator case */
118     if (data_path[nn+1] == '\0') break;
119 
120     /* found a separator, check that data_path is not too long. */
121     if (nn >= (int)(sizeof subpath)) {
122       error(1, 0, "%s data path too long: %s", package_name, data_path);
123     }
124 
125     /* reject any '..' subpath */
126     if (nn >= 3               &&
127         data_path[nn-3] == '/' &&
128         data_path[nn-2] == '.' &&
129         data_path[nn-1] == '.') {
130       error(1, 0, "%s contains '..': %s", package_name, data_path);
131     }
132 
133     /* copy to 'subpath', then check ownership */
134     memcpy(subpath, data_path, nn);
135     subpath[nn] = '\0';
136 
137     check_directory(subpath, AID_SYSTEM);
138   }
139 
140   // All sub-paths were checked, now verify that the full data
141   // directory is owned by the application uid.
142   check_directory(data_path, uid);
143 }
144 
get_supplementary_gids(uid_t userAppId)145 std::vector<gid_t> get_supplementary_gids(uid_t userAppId) {
146   std::vector<gid_t> gids;
147   int size = getgroups(0, &gids[0]);
148   if (size < 0) {
149     error(1, errno, "getgroups failed");
150   }
151   gids.resize(size);
152   size = getgroups(size, &gids[0]);
153   if (size != static_cast<int>(gids.size())) {
154     error(1, errno, "getgroups failed");
155   }
156   // Profile guide compiled oat files (like /data/app/xxx/oat/arm64/base.odex) are not readable
157   // worldwide (DEXOPT_PUBLIC flag isn't set). To support reading them (needed by simpleperf for
158   // profiling), add shared app gid to supplementary groups.
159   gid_t shared_app_gid = userAppId % AID_USER_OFFSET - AID_APP_START + AID_SHARED_GID_START;
160   gids.push_back(shared_app_gid);
161   return gids;
162 }
163 
main(int argc,char * argv[])164 int main(int argc, char* argv[]) {
165   // Check arguments.
166   if (argc < 2) {
167     error(1, 0, "usage: run-as <package-name> [--user <uid>] <command> [<args>]\n");
168   }
169 
170   // This program runs with CAP_SETUID and CAP_SETGID capabilities on Android
171   // production devices. Check user id of caller --- must be 'shell' or 'root'.
172   if (getuid() != AID_SHELL && getuid() != AID_ROOT) {
173     error(1, 0, "only 'shell' or 'root' users can run this program");
174   }
175 
176   // Some devices can disable running run-as, such as Chrome OS when running in
177   // non-developer mode.
178   if (android::base::GetBoolProperty("ro.boot.disable_runas", false)) {
179     error(1, 0, "run-as is disabled from the kernel commandline");
180   }
181 
182   char* pkgname = argv[1];
183   int cmd_argv_offset = 2;
184 
185   // Get user_id from command line if provided.
186   int userId = 0;
187   if ((argc >= 4) && !strcmp(argv[2], "--user")) {
188     userId = atoi(argv[3]);
189     if (userId < 0) error(1, 0, "negative user id: %d", userId);
190     cmd_argv_offset += 2;
191   }
192 
193   // Retrieve package information from system, switching egid so we can read the file.
194   gid_t old_egid = getegid();
195   if (setegid(AID_PACKAGE_INFO) == -1) error(1, errno, "setegid(AID_PACKAGE_INFO) failed");
196   pkg_info info;
197   memset(&info, 0, sizeof(info));
198   info.name = pkgname;
199   if (!packagelist_parse(packagelist_parse_callback, &info)) {
200     error(1, errno, "packagelist_parse failed");
201   }
202 
203   // Handle a multi-user data path
204   if (userId > 0) {
205     free(info.data_dir);
206     if (asprintf(&info.data_dir, "/data/user/%d/%s", userId, pkgname) == -1) {
207       error(1, errno, "asprintf failed");
208     }
209   }
210 
211   if (info.uid == 0) {
212     error(1, 0, "unknown package: %s", pkgname);
213   }
214   if (setegid(old_egid) == -1) error(1, errno, "couldn't restore egid");
215 
216   // Verify that user id is not too big.
217   if ((UID_MAX - info.uid) / AID_USER_OFFSET < (uid_t)userId) {
218     error(1, 0, "user id too big: %d", userId);
219   }
220 
221   // Calculate user app ID.
222   uid_t userAppId = (AID_USER_OFFSET * userId) + info.uid;
223 
224   // Reject system packages.
225   if (userAppId < AID_APP) {
226     error(1, 0, "package not an application: %s", pkgname);
227   }
228 
229   // Reject any non-debuggable package.
230   if (!info.debuggable) {
231     error(1, 0, "package not debuggable: %s", pkgname);
232   }
233 
234   // Check that the data directory path is valid.
235   check_data_path(pkgname, info.data_dir, userAppId);
236 
237   // Ensure that we change all real/effective/saved IDs at the
238   // same time to avoid nasty surprises.
239   uid_t uid = userAppId;
240   uid_t gid = userAppId;
241   std::vector<gid_t> supplementary_gids = get_supplementary_gids(userAppId);
242   ScopedMinijail j(minijail_new());
243   minijail_change_uid(j.get(), uid);
244   minijail_change_gid(j.get(), gid);
245   minijail_set_supplementary_gids(j.get(), supplementary_gids.size(), supplementary_gids.data());
246   minijail_enter(j.get());
247 
248   std::string seinfo = std::string(info.seinfo) + ":fromRunAs";
249   if (selinux_android_setcontext(uid, 0, seinfo.c_str(), pkgname) < 0) {
250     error(1, errno, "couldn't set SELinux security context");
251   }
252 
253   // cd into the data directory, and set $HOME correspondingly.
254   if (TEMP_FAILURE_RETRY(chdir(info.data_dir)) == -1) {
255     error(1, errno, "couldn't chdir to package's data directory");
256   }
257   setenv("HOME", info.data_dir, 1);
258 
259   // Reset parts of the environment, like su would.
260   setenv("PATH", _PATH_DEFPATH, 1);
261   unsetenv("IFS");
262 
263   // Set the user-specific parts for this user.
264   passwd* pw = getpwuid(uid);
265   setenv("LOGNAME", pw->pw_name, 1);
266   setenv("SHELL", pw->pw_shell, 1);
267   setenv("USER", pw->pw_name, 1);
268 
269   // User specified command for exec.
270   if ((argc >= cmd_argv_offset + 1) &&
271       (execvp(argv[cmd_argv_offset], argv+cmd_argv_offset) == -1)) {
272     error(1, errno, "exec failed for %s", argv[cmd_argv_offset]);
273   }
274 
275   // Default exec shell.
276   execlp(_PATH_BSHELL, "sh", NULL);
277   error(1, errno, "exec failed");
278 }
279