1 /*
2 **
3 ** Copyright 2010, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 ** http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 #include <errno.h>
18 #include <fcntl.h>
19 #include <unistd.h>
20 #include <sys/stat.h>
21 #include <sys/mman.h>
22 #include <private/android_filesystem_config.h>
23 #include "package.h"
24
25 /*
26 * WARNING WARNING WARNING WARNING
27 *
28 * The following code runs as root on production devices, before
29 * the run-as command has dropped the uid/gid. Hence be very
30 * conservative and keep in mind the following:
31 *
32 * - Performance does not matter here, clarity and safety of the code
33 * does however. Documentation is a must.
34 *
35 * - Avoid calling C library functions with complex implementations
36 * like malloc() and printf(). You want to depend on simple system
37 * calls instead, which behaviour is not going to be altered in
38 * unpredictible ways by environment variables or system properties.
39 *
40 * - Do not trust user input and/or the filesystem whenever possible.
41 *
42 */
43
44 /* The file containing the list of installed packages on the system */
45 #define PACKAGES_LIST_FILE "/data/system/packages.list"
46
47 /* Copy 'srclen' string bytes from 'src' into buffer 'dst' of size 'dstlen'
48 * This function always zero-terminate the destination buffer unless
49 * 'dstlen' is 0, even in case of overflow.
50 * Returns a pointer into the src string, leaving off where the copy
51 * has stopped. The copy will stop when dstlen, srclen or a null
52 * character on src has been reached.
53 */
54 static const char*
string_copy(char * dst,size_t dstlen,const char * src,size_t srclen)55 string_copy(char* dst, size_t dstlen, const char* src, size_t srclen)
56 {
57 const char* srcend = src + srclen;
58 const char* dstend = dst + dstlen;
59
60 if (dstlen == 0)
61 return src;
62
63 dstend--; /* make room for terminating zero */
64
65 while (dst < dstend && src < srcend && *src != '\0')
66 *dst++ = *src++;
67
68 *dst = '\0'; /* zero-terminate result */
69 return src;
70 }
71
72 /* Open 'filename' and map it into our address-space.
73 * Returns buffer address, or NULL on error
74 * On exit, *filesize will be set to the file's size, or 0 on error
75 */
76 static void*
map_file(const char * filename,size_t * filesize)77 map_file(const char* filename, size_t* filesize)
78 {
79 int fd, ret, old_errno;
80 struct stat st;
81 size_t length = 0;
82 void* address = NULL;
83 gid_t oldegid;
84
85 *filesize = 0;
86
87 /*
88 * Temporarily switch effective GID to allow us to read
89 * the packages file
90 */
91
92 oldegid = getegid();
93 if (setegid(AID_PACKAGE_INFO) < 0) {
94 return NULL;
95 }
96
97 /* open the file for reading */
98 fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
99 if (fd < 0) {
100 return NULL;
101 }
102
103 /* restore back to our old egid */
104 if (setegid(oldegid) < 0) {
105 goto EXIT;
106 }
107
108 /* get its size */
109 ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
110 if (ret < 0)
111 goto EXIT;
112
113 /* Ensure that the file is owned by the system user */
114 if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) {
115 goto EXIT;
116 }
117
118 /* Ensure that the file has sane permissions */
119 if ((st.st_mode & S_IWOTH) != 0) {
120 goto EXIT;
121 }
122
123 /* Ensure that the size is not ridiculously large */
124 length = (size_t)st.st_size;
125 if ((off_t)length != st.st_size) {
126 errno = ENOMEM;
127 goto EXIT;
128 }
129
130 /* Memory-map the file now */
131 do {
132 address = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, 0);
133 } while (address == MAP_FAILED && errno == EINTR);
134 if (address == MAP_FAILED) {
135 address = NULL;
136 goto EXIT;
137 }
138
139 /* We're good, return size */
140 *filesize = length;
141
142 EXIT:
143 /* close the file, preserve old errno for better diagnostics */
144 old_errno = errno;
145 close(fd);
146 errno = old_errno;
147
148 return address;
149 }
150
151 /* unmap the file, but preserve errno */
152 static void
unmap_file(void * address,size_t size)153 unmap_file(void* address, size_t size)
154 {
155 int old_errno = errno;
156 TEMP_FAILURE_RETRY(munmap(address, size));
157 errno = old_errno;
158 }
159
160 /* Check that a given directory:
161 * - exists
162 * - is owned by a given uid/gid
163 * - is a real directory, not a symlink
164 * - isn't readable or writable by others
165 *
166 * Return 0 on success, or -1 on error.
167 * errno is set to EINVAL in case of failed check.
168 */
169 static int
check_directory_ownership(const char * path,uid_t uid)170 check_directory_ownership(const char* path, uid_t uid)
171 {
172 int ret;
173 struct stat st;
174
175 do {
176 ret = lstat(path, &st);
177 } while (ret < 0 && errno == EINTR);
178
179 if (ret < 0)
180 return -1;
181
182 /* must be a real directory, not a symlink */
183 if (!S_ISDIR(st.st_mode))
184 goto BAD;
185
186 /* must be owned by specific uid/gid */
187 if (st.st_uid != uid || st.st_gid != uid)
188 goto BAD;
189
190 /* must not be readable or writable by others */
191 if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0)
192 goto BAD;
193
194 /* everything ok */
195 return 0;
196
197 BAD:
198 errno = EINVAL;
199 return -1;
200 }
201
202 /* This function is used to check the data directory path for safety.
203 * We check that every sub-directory is owned by the 'system' user
204 * and exists and is not a symlink. We also check that the full directory
205 * path is properly owned by the user ID.
206 *
207 * Return 0 on success, -1 on error.
208 */
209 int
check_data_path(const char * dataPath,uid_t uid)210 check_data_path(const char* dataPath, uid_t uid)
211 {
212 int nn;
213
214 /* the path should be absolute */
215 if (dataPath[0] != '/') {
216 errno = EINVAL;
217 return -1;
218 }
219
220 /* look for all sub-paths, we do that by finding
221 * directory separators in the input path and
222 * checking each sub-path independently
223 */
224 for (nn = 1; dataPath[nn] != '\0'; nn++)
225 {
226 char subpath[PATH_MAX];
227
228 /* skip non-separator characters */
229 if (dataPath[nn] != '/')
230 continue;
231
232 /* handle trailing separator case */
233 if (dataPath[nn+1] == '\0') {
234 break;
235 }
236
237 /* found a separator, check that dataPath is not too long. */
238 if (nn >= (int)(sizeof subpath)) {
239 errno = EINVAL;
240 return -1;
241 }
242
243 /* reject any '..' subpath */
244 if (nn >= 3 &&
245 dataPath[nn-3] == '/' &&
246 dataPath[nn-2] == '.' &&
247 dataPath[nn-1] == '.') {
248 errno = EINVAL;
249 return -1;
250 }
251
252 /* copy to 'subpath', then check ownership */
253 memcpy(subpath, dataPath, nn);
254 subpath[nn] = '\0';
255
256 if (check_directory_ownership(subpath, AID_SYSTEM) < 0)
257 return -1;
258 }
259
260 /* All sub-paths were checked, now verify that the full data
261 * directory is owned by the application uid
262 */
263 if (check_directory_ownership(dataPath, uid) < 0)
264 return -1;
265
266 /* all clear */
267 return 0;
268 }
269
270 /* Return TRUE iff a character is a space or tab */
271 static inline int
is_space(char c)272 is_space(char c)
273 {
274 return (c == ' ' || c == '\t');
275 }
276
277 /* Skip any space or tab character from 'p' until 'end' is reached.
278 * Return new position.
279 */
280 static const char*
skip_spaces(const char * p,const char * end)281 skip_spaces(const char* p, const char* end)
282 {
283 while (p < end && is_space(*p))
284 p++;
285
286 return p;
287 }
288
289 /* Skip any non-space and non-tab character from 'p' until 'end'.
290 * Return new position.
291 */
292 static const char*
skip_non_spaces(const char * p,const char * end)293 skip_non_spaces(const char* p, const char* end)
294 {
295 while (p < end && !is_space(*p))
296 p++;
297
298 return p;
299 }
300
301 /* Find the first occurence of 'ch' between 'p' and 'end'
302 * Return its position, or 'end' if none is found.
303 */
304 static const char*
find_first(const char * p,const char * end,char ch)305 find_first(const char* p, const char* end, char ch)
306 {
307 while (p < end && *p != ch)
308 p++;
309
310 return p;
311 }
312
313 /* Check that the non-space string starting at 'p' and eventually
314 * ending at 'end' equals 'name'. Return new position (after name)
315 * on success, or NULL on failure.
316 *
317 * This function fails is 'name' is NULL, empty or contains any space.
318 */
319 static const char*
compare_name(const char * p,const char * end,const char * name)320 compare_name(const char* p, const char* end, const char* name)
321 {
322 /* 'name' must not be NULL or empty */
323 if (name == NULL || name[0] == '\0' || p == end)
324 return NULL;
325
326 /* compare characters to those in 'name', excluding spaces */
327 while (*name) {
328 /* note, we don't check for *p == '\0' since
329 * it will be caught in the next conditional.
330 */
331 if (p >= end || is_space(*p))
332 goto BAD;
333
334 if (*p != *name)
335 goto BAD;
336
337 p++;
338 name++;
339 }
340
341 /* must be followed by end of line or space */
342 if (p < end && !is_space(*p))
343 goto BAD;
344
345 return p;
346
347 BAD:
348 return NULL;
349 }
350
351 /* Parse one or more whitespace characters starting from '*pp'
352 * until 'end' is reached. Updates '*pp' on exit.
353 *
354 * Return 0 on success, -1 on failure.
355 */
356 static int
parse_spaces(const char ** pp,const char * end)357 parse_spaces(const char** pp, const char* end)
358 {
359 const char* p = *pp;
360
361 if (p >= end || !is_space(*p)) {
362 errno = EINVAL;
363 return -1;
364 }
365 p = skip_spaces(p, end);
366 *pp = p;
367 return 0;
368 }
369
370 /* Parse a positive decimal number starting from '*pp' until 'end'
371 * is reached. Adjust '*pp' on exit. Return decimal value or -1
372 * in case of error.
373 *
374 * If the value is larger than INT_MAX, -1 will be returned,
375 * and errno set to EOVERFLOW.
376 *
377 * If '*pp' does not start with a decimal digit, -1 is returned
378 * and errno set to EINVAL.
379 */
380 static int
parse_positive_decimal(const char ** pp,const char * end)381 parse_positive_decimal(const char** pp, const char* end)
382 {
383 const char* p = *pp;
384 int value = 0;
385 int overflow = 0;
386
387 if (p >= end || *p < '0' || *p > '9') {
388 errno = EINVAL;
389 return -1;
390 }
391
392 while (p < end) {
393 int ch = *p;
394 unsigned d = (unsigned)(ch - '0');
395 int val2;
396
397 if (d >= 10U) /* d is unsigned, no lower bound check */
398 break;
399
400 val2 = value*10 + (int)d;
401 if (val2 < value)
402 overflow = 1;
403 value = val2;
404 p++;
405 }
406 *pp = p;
407
408 if (overflow) {
409 errno = EOVERFLOW;
410 value = -1;
411 }
412 return value;
413 }
414
415 /* Read the system's package database and extract information about
416 * 'pkgname'. Return 0 in case of success, or -1 in case of error.
417 *
418 * If the package is unknown, return -1 and set errno to ENOENT
419 * If the package database is corrupted, return -1 and set errno to EINVAL
420 */
421 int
get_package_info(const char * pkgName,PackageInfo * info)422 get_package_info(const char* pkgName, PackageInfo *info)
423 {
424 char* buffer;
425 size_t buffer_len;
426 const char* p;
427 const char* buffer_end;
428 int result = -1;
429
430 info->uid = 0;
431 info->isDebuggable = 0;
432 info->dataDir[0] = '\0';
433 info->seinfo[0] = '\0';
434
435 buffer = map_file(PACKAGES_LIST_FILE, &buffer_len);
436 if (buffer == NULL)
437 return -1;
438
439 p = buffer;
440 buffer_end = buffer + buffer_len;
441
442 /* expect the following format on each line of the control file:
443 *
444 * <pkgName> <uid> <debugFlag> <dataDir> <seinfo>
445 *
446 * where:
447 * <pkgName> is the package's name
448 * <uid> is the application-specific user Id (decimal)
449 * <debugFlag> is 1 if the package is debuggable, or 0 otherwise
450 * <dataDir> is the path to the package's data directory (e.g. /data/data/com.example.foo)
451 * <seinfo> is the seinfo label associated with the package
452 *
453 * The file is generated in com.android.server.PackageManagerService.Settings.writeLP()
454 */
455
456 while (p < buffer_end) {
457 /* find end of current line and start of next one */
458 const char* end = find_first(p, buffer_end, '\n');
459 const char* next = (end < buffer_end) ? end + 1 : buffer_end;
460 const char* q;
461 int uid, debugFlag;
462
463 /* first field is the package name */
464 p = compare_name(p, end, pkgName);
465 if (p == NULL)
466 goto NEXT_LINE;
467
468 /* skip spaces */
469 if (parse_spaces(&p, end) < 0)
470 goto BAD_FORMAT;
471
472 /* second field is the pid */
473 uid = parse_positive_decimal(&p, end);
474 if (uid < 0)
475 return -1;
476
477 info->uid = (uid_t) uid;
478
479 /* skip spaces */
480 if (parse_spaces(&p, end) < 0)
481 goto BAD_FORMAT;
482
483 /* third field is debug flag (0 or 1) */
484 debugFlag = parse_positive_decimal(&p, end);
485 switch (debugFlag) {
486 case 0:
487 info->isDebuggable = 0;
488 break;
489 case 1:
490 info->isDebuggable = 1;
491 break;
492 default:
493 goto BAD_FORMAT;
494 }
495
496 /* skip spaces */
497 if (parse_spaces(&p, end) < 0)
498 goto BAD_FORMAT;
499
500 /* fourth field is data directory path and must not contain
501 * spaces.
502 */
503 q = skip_non_spaces(p, end);
504 if (q == p)
505 goto BAD_FORMAT;
506
507 p = string_copy(info->dataDir, sizeof info->dataDir, p, q - p);
508
509 /* skip spaces */
510 if (parse_spaces(&p, end) < 0)
511 goto BAD_FORMAT;
512
513 /* fifth field is the seinfo string */
514 q = skip_non_spaces(p, end);
515 if (q == p)
516 goto BAD_FORMAT;
517
518 string_copy(info->seinfo, sizeof info->seinfo, p, q - p);
519
520 /* Ignore the rest */
521 result = 0;
522 goto EXIT;
523
524 NEXT_LINE:
525 p = next;
526 }
527
528 /* the package is unknown */
529 errno = ENOENT;
530 result = -1;
531 goto EXIT;
532
533 BAD_FORMAT:
534 errno = EINVAL;
535 result = -1;
536
537 EXIT:
538 unmap_file(buffer, buffer_len);
539 return result;
540 }
541