• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2 **
3 ** Copyright 2010, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 **     http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 #include <errno.h>
18 #include <fcntl.h>
19 #include <unistd.h>
20 #include <sys/stat.h>
21 #include <sys/mman.h>
22 #include <private/android_filesystem_config.h>
23 #include "package.h"
24 
25 /*
26  *  WARNING WARNING WARNING WARNING
27  *
28  *  The following code runs as root on production devices, before
29  *  the run-as command has dropped the uid/gid. Hence be very
30  *  conservative and keep in mind the following:
31  *
32  *  - Performance does not matter here, clarity and safety of the code
33  *    does however. Documentation is a must.
34  *
35  *  - Avoid calling C library functions with complex implementations
36  *    like malloc() and printf(). You want to depend on simple system
37  *    calls instead, which behaviour is not going to be altered in
38  *    unpredictible ways by environment variables or system properties.
39  *
40  *  - Do not trust user input and/or the filesystem whenever possible.
41  *
42  */
43 
44 /* The file containing the list of installed packages on the system */
45 #define PACKAGES_LIST_FILE  "/data/system/packages.list"
46 
47 /* Copy 'srclen' string bytes from 'src' into buffer 'dst' of size 'dstlen'
48  * This function always zero-terminate the destination buffer unless
49  * 'dstlen' is 0, even in case of overflow.
50  * Returns a pointer into the src string, leaving off where the copy
51  * has stopped. The copy will stop when dstlen, srclen or a null
52  * character on src has been reached.
53  */
54 static const char*
string_copy(char * dst,size_t dstlen,const char * src,size_t srclen)55 string_copy(char* dst, size_t dstlen, const char* src, size_t srclen)
56 {
57     const char* srcend = src + srclen;
58     const char* dstend = dst + dstlen;
59 
60     if (dstlen == 0)
61         return src;
62 
63     dstend--; /* make room for terminating zero */
64 
65     while (dst < dstend && src < srcend && *src != '\0')
66         *dst++ = *src++;
67 
68     *dst = '\0'; /* zero-terminate result */
69     return src;
70 }
71 
72 /* Open 'filename' and map it into our address-space.
73  * Returns buffer address, or NULL on error
74  * On exit, *filesize will be set to the file's size, or 0 on error
75  */
76 static void*
map_file(const char * filename,size_t * filesize)77 map_file(const char* filename, size_t* filesize)
78 {
79     int  fd, ret, old_errno;
80     struct stat  st;
81     size_t  length = 0;
82     void*   address = NULL;
83     gid_t   oldegid;
84 
85     *filesize = 0;
86 
87     /*
88      * Temporarily switch effective GID to allow us to read
89      * the packages file
90      */
91 
92     oldegid = getegid();
93     if (setegid(AID_PACKAGE_INFO) < 0) {
94         return NULL;
95     }
96 
97     /* open the file for reading */
98     fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
99     if (fd < 0) {
100         return NULL;
101     }
102 
103     /* restore back to our old egid */
104     if (setegid(oldegid) < 0) {
105         goto EXIT;
106     }
107 
108     /* get its size */
109     ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
110     if (ret < 0)
111         goto EXIT;
112 
113     /* Ensure that the file is owned by the system user */
114     if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) {
115         goto EXIT;
116     }
117 
118     /* Ensure that the file has sane permissions */
119     if ((st.st_mode & S_IWOTH) != 0) {
120         goto EXIT;
121     }
122 
123     /* Ensure that the size is not ridiculously large */
124     length = (size_t)st.st_size;
125     if ((off_t)length != st.st_size) {
126         errno = ENOMEM;
127         goto EXIT;
128     }
129 
130     /* Memory-map the file now */
131     do {
132         address = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, 0);
133     } while (address == MAP_FAILED && errno == EINTR);
134     if (address == MAP_FAILED) {
135         address = NULL;
136         goto EXIT;
137     }
138 
139     /* We're good, return size */
140     *filesize = length;
141 
142 EXIT:
143     /* close the file, preserve old errno for better diagnostics */
144     old_errno = errno;
145     close(fd);
146     errno = old_errno;
147 
148     return address;
149 }
150 
151 /* unmap the file, but preserve errno */
152 static void
unmap_file(void * address,size_t size)153 unmap_file(void*  address, size_t  size)
154 {
155     int old_errno = errno;
156     TEMP_FAILURE_RETRY(munmap(address, size));
157     errno = old_errno;
158 }
159 
160 /* Check that a given directory:
161  * - exists
162  * - is owned by a given uid/gid
163  * - is a real directory, not a symlink
164  * - isn't readable or writable by others
165  *
166  * Return 0 on success, or -1 on error.
167  * errno is set to EINVAL in case of failed check.
168  */
169 static int
check_directory_ownership(const char * path,uid_t uid)170 check_directory_ownership(const char* path, uid_t uid)
171 {
172     int ret;
173     struct stat st;
174 
175     do {
176         ret = lstat(path, &st);
177     } while (ret < 0 && errno == EINTR);
178 
179     if (ret < 0)
180         return -1;
181 
182     /* must be a real directory, not a symlink */
183     if (!S_ISDIR(st.st_mode))
184         goto BAD;
185 
186     /* must be owned by specific uid/gid */
187     if (st.st_uid != uid || st.st_gid != uid)
188         goto BAD;
189 
190     /* must not be readable or writable by others */
191     if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0)
192         goto BAD;
193 
194     /* everything ok */
195     return 0;
196 
197 BAD:
198     errno = EINVAL;
199     return -1;
200 }
201 
202 /* This function is used to check the data directory path for safety.
203  * We check that every sub-directory is owned by the 'system' user
204  * and exists and is not a symlink. We also check that the full directory
205  * path is properly owned by the user ID.
206  *
207  * Return 0 on success, -1 on error.
208  */
209 int
check_data_path(const char * dataPath,uid_t uid)210 check_data_path(const char* dataPath, uid_t  uid)
211 {
212     int  nn;
213 
214     /* the path should be absolute */
215     if (dataPath[0] != '/') {
216         errno = EINVAL;
217         return -1;
218     }
219 
220     /* look for all sub-paths, we do that by finding
221      * directory separators in the input path and
222      * checking each sub-path independently
223      */
224     for (nn = 1; dataPath[nn] != '\0'; nn++)
225     {
226         char subpath[PATH_MAX];
227 
228         /* skip non-separator characters */
229         if (dataPath[nn] != '/')
230             continue;
231 
232         /* handle trailing separator case */
233         if (dataPath[nn+1] == '\0') {
234             break;
235         }
236 
237         /* found a separator, check that dataPath is not too long. */
238         if (nn >= (int)(sizeof subpath)) {
239             errno = EINVAL;
240             return -1;
241         }
242 
243         /* reject any '..' subpath */
244         if (nn >= 3               &&
245             dataPath[nn-3] == '/' &&
246             dataPath[nn-2] == '.' &&
247             dataPath[nn-1] == '.') {
248             errno = EINVAL;
249             return -1;
250         }
251 
252         /* copy to 'subpath', then check ownership */
253         memcpy(subpath, dataPath, nn);
254         subpath[nn] = '\0';
255 
256         if (check_directory_ownership(subpath, AID_SYSTEM) < 0)
257             return -1;
258     }
259 
260     /* All sub-paths were checked, now verify that the full data
261      * directory is owned by the application uid
262      */
263     if (check_directory_ownership(dataPath, uid) < 0)
264         return -1;
265 
266     /* all clear */
267     return 0;
268 }
269 
270 /* Return TRUE iff a character is a space or tab */
271 static inline int
is_space(char c)272 is_space(char c)
273 {
274     return (c == ' ' || c == '\t');
275 }
276 
277 /* Skip any space or tab character from 'p' until 'end' is reached.
278  * Return new position.
279  */
280 static const char*
skip_spaces(const char * p,const char * end)281 skip_spaces(const char*  p, const char*  end)
282 {
283     while (p < end && is_space(*p))
284         p++;
285 
286     return p;
287 }
288 
289 /* Skip any non-space and non-tab character from 'p' until 'end'.
290  * Return new position.
291  */
292 static const char*
skip_non_spaces(const char * p,const char * end)293 skip_non_spaces(const char* p, const char* end)
294 {
295     while (p < end && !is_space(*p))
296         p++;
297 
298     return p;
299 }
300 
301 /* Find the first occurence of 'ch' between 'p' and 'end'
302  * Return its position, or 'end' if none is found.
303  */
304 static const char*
find_first(const char * p,const char * end,char ch)305 find_first(const char* p, const char* end, char ch)
306 {
307     while (p < end && *p != ch)
308         p++;
309 
310     return p;
311 }
312 
313 /* Check that the non-space string starting at 'p' and eventually
314  * ending at 'end' equals 'name'. Return new position (after name)
315  * on success, or NULL on failure.
316  *
317  * This function fails is 'name' is NULL, empty or contains any space.
318  */
319 static const char*
compare_name(const char * p,const char * end,const char * name)320 compare_name(const char* p, const char* end, const char* name)
321 {
322     /* 'name' must not be NULL or empty */
323     if (name == NULL || name[0] == '\0' || p == end)
324         return NULL;
325 
326     /* compare characters to those in 'name', excluding spaces */
327     while (*name) {
328         /* note, we don't check for *p == '\0' since
329          * it will be caught in the next conditional.
330          */
331         if (p >= end || is_space(*p))
332             goto BAD;
333 
334         if (*p != *name)
335             goto BAD;
336 
337         p++;
338         name++;
339     }
340 
341     /* must be followed by end of line or space */
342     if (p < end && !is_space(*p))
343         goto BAD;
344 
345     return p;
346 
347 BAD:
348     return NULL;
349 }
350 
351 /* Parse one or more whitespace characters starting from '*pp'
352  * until 'end' is reached. Updates '*pp' on exit.
353  *
354  * Return 0 on success, -1 on failure.
355  */
356 static int
parse_spaces(const char ** pp,const char * end)357 parse_spaces(const char** pp, const char* end)
358 {
359     const char* p = *pp;
360 
361     if (p >= end || !is_space(*p)) {
362         errno = EINVAL;
363         return -1;
364     }
365     p   = skip_spaces(p, end);
366     *pp = p;
367     return 0;
368 }
369 
370 /* Parse a positive decimal number starting from '*pp' until 'end'
371  * is reached. Adjust '*pp' on exit. Return decimal value or -1
372  * in case of error.
373  *
374  * If the value is larger than INT_MAX, -1 will be returned,
375  * and errno set to EOVERFLOW.
376  *
377  * If '*pp' does not start with a decimal digit, -1 is returned
378  * and errno set to EINVAL.
379  */
380 static int
parse_positive_decimal(const char ** pp,const char * end)381 parse_positive_decimal(const char** pp, const char* end)
382 {
383     const char* p = *pp;
384     int value = 0;
385     int overflow = 0;
386 
387     if (p >= end || *p < '0' || *p > '9') {
388         errno = EINVAL;
389         return -1;
390     }
391 
392     while (p < end) {
393         int      ch = *p;
394         unsigned d  = (unsigned)(ch - '0');
395         int      val2;
396 
397         if (d >= 10U) /* d is unsigned, no lower bound check */
398             break;
399 
400         val2 = value*10 + (int)d;
401         if (val2 < value)
402             overflow = 1;
403         value = val2;
404         p++;
405     }
406     *pp = p;
407 
408     if (overflow) {
409         errno = EOVERFLOW;
410         value = -1;
411     }
412     return value;
413 }
414 
415 /* Read the system's package database and extract information about
416  * 'pkgname'. Return 0 in case of success, or -1 in case of error.
417  *
418  * If the package is unknown, return -1 and set errno to ENOENT
419  * If the package database is corrupted, return -1 and set errno to EINVAL
420  */
421 int
get_package_info(const char * pkgName,PackageInfo * info)422 get_package_info(const char* pkgName, PackageInfo *info)
423 {
424     char*        buffer;
425     size_t       buffer_len;
426     const char*  p;
427     const char*  buffer_end;
428     int          result = -1;
429 
430     info->uid          = 0;
431     info->isDebuggable = 0;
432     info->dataDir[0]   = '\0';
433     info->seinfo[0]    = '\0';
434 
435     buffer = map_file(PACKAGES_LIST_FILE, &buffer_len);
436     if (buffer == NULL)
437         return -1;
438 
439     p          = buffer;
440     buffer_end = buffer + buffer_len;
441 
442     /* expect the following format on each line of the control file:
443      *
444      *  <pkgName> <uid> <debugFlag> <dataDir> <seinfo>
445      *
446      * where:
447      *  <pkgName>    is the package's name
448      *  <uid>        is the application-specific user Id (decimal)
449      *  <debugFlag>  is 1 if the package is debuggable, or 0 otherwise
450      *  <dataDir>    is the path to the package's data directory (e.g. /data/data/com.example.foo)
451      *  <seinfo>     is the seinfo label associated with the package
452      *
453      * The file is generated in com.android.server.PackageManagerService.Settings.writeLP()
454      */
455 
456     while (p < buffer_end) {
457         /* find end of current line and start of next one */
458         const char*  end  = find_first(p, buffer_end, '\n');
459         const char*  next = (end < buffer_end) ? end + 1 : buffer_end;
460         const char*  q;
461         int          uid, debugFlag;
462 
463         /* first field is the package name */
464         p = compare_name(p, end, pkgName);
465         if (p == NULL)
466             goto NEXT_LINE;
467 
468         /* skip spaces */
469         if (parse_spaces(&p, end) < 0)
470             goto BAD_FORMAT;
471 
472         /* second field is the pid */
473         uid = parse_positive_decimal(&p, end);
474         if (uid < 0)
475             return -1;
476 
477         info->uid = (uid_t) uid;
478 
479         /* skip spaces */
480         if (parse_spaces(&p, end) < 0)
481             goto BAD_FORMAT;
482 
483         /* third field is debug flag (0 or 1) */
484         debugFlag = parse_positive_decimal(&p, end);
485         switch (debugFlag) {
486         case 0:
487             info->isDebuggable = 0;
488             break;
489         case 1:
490             info->isDebuggable = 1;
491             break;
492         default:
493             goto BAD_FORMAT;
494         }
495 
496         /* skip spaces */
497         if (parse_spaces(&p, end) < 0)
498             goto BAD_FORMAT;
499 
500         /* fourth field is data directory path and must not contain
501          * spaces.
502          */
503         q = skip_non_spaces(p, end);
504         if (q == p)
505             goto BAD_FORMAT;
506 
507         p = string_copy(info->dataDir, sizeof info->dataDir, p, q - p);
508 
509         /* skip spaces */
510         if (parse_spaces(&p, end) < 0)
511             goto BAD_FORMAT;
512 
513         /* fifth field is the seinfo string */
514         q = skip_non_spaces(p, end);
515         if (q == p)
516             goto BAD_FORMAT;
517 
518         string_copy(info->seinfo, sizeof info->seinfo, p, q - p);
519 
520         /* Ignore the rest */
521         result = 0;
522         goto EXIT;
523 
524     NEXT_LINE:
525         p = next;
526     }
527 
528     /* the package is unknown */
529     errno = ENOENT;
530     result = -1;
531     goto EXIT;
532 
533 BAD_FORMAT:
534     errno = EINVAL;
535     result = -1;
536 
537 EXIT:
538     unmap_file(buffer, buffer_len);
539     return result;
540 }
541