• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2 **
3 ** Copyright 2010, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 **     http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 
18 #define PROGNAME "run-as"
19 #define LOG_TAG  PROGNAME
20 
21 #include <dirent.h>
22 #include <errno.h>
23 #include <stdarg.h>
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <sys/capability.h>
28 #include <sys/cdefs.h>
29 #include <sys/stat.h>
30 #include <sys/types.h>
31 #include <time.h>
32 #include <unistd.h>
33 
34 #include <private/android_filesystem_config.h>
35 #include <selinux/android.h>
36 
37 #include "package.h"
38 
39 /*
40  *  WARNING WARNING WARNING WARNING
41  *
42  *  This program runs with CAP_SETUID and CAP_SETGID capabilities on Android
43  *  production devices. Be very conservative when modifying it to avoid any
44  *  serious security issue. Keep in mind the following:
45  *
46  *  - This program should only run for the 'root' or 'shell' users
47  *
48  *  - Avoid anything that is more complex than simple system calls
49  *    until the uid/gid has been dropped to that of a normal user
50  *    or you are sure to exit.
51  *
52  *    This avoids depending on environment variables, system properties
53  *    and other external factors that may affect the C library in
54  *    unpredictable ways.
55  *
56  *  - Do not trust user input and/or the filesystem whenever possible.
57  *
58  *  Read README.TXT for more details.
59  *
60  *
61  *
62  * The purpose of this program is to run a command as a specific
63  * application user-id. Typical usage is:
64  *
65  *   run-as <package-name> <command> <args>
66  *
67  *  The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
68  *  capabilities, but will check the following:
69  *
70  *  - that it is invoked from the 'shell' or 'root' user (abort otherwise)
71  *  - that '<package-name>' is the name of an installed and debuggable package
72  *  - that the package's data directory is well-formed (see package.c)
73  *
74  *  If so, it will drop to the application's user id / group id, cd to the
75  *  package's data directory, then run the command there.
76  *
77  *  NOTE: In the future it might not be possible to cd to the package's data
78  *  directory under that package's user id / group id, in which case this
79  *  utility will need to be changed accordingly.
80  *
81  *  This can be useful for a number of different things on production devices:
82  *
83  *  - Allow application developers to look at their own applicative data
84  *    during development.
85  *
86  *  - Run the 'gdbserver' binary executable to allow native debugging
87  */
88 
89 __noreturn static void
panic(const char * format,...)90 panic(const char* format, ...)
91 {
92     va_list args;
93     int e = errno;
94 
95     fprintf(stderr, "%s: ", PROGNAME);
96     va_start(args, format);
97     vfprintf(stderr, format, args);
98     va_end(args);
99     exit(e ? -e : 1);
100 }
101 
102 static void
usage(void)103 usage(void)
104 {
105     panic("Usage:\n    " PROGNAME " <package-name> [--user <uid>] <command> [<args>]\n");
106 }
107 
main(int argc,char ** argv)108 int main(int argc, char **argv)
109 {
110     const char* pkgname;
111     uid_t myuid, uid, gid, userAppId = 0;
112     int commandArgvOfs = 2, userId = 0;
113     PackageInfo info;
114     struct __user_cap_header_struct capheader;
115     struct __user_cap_data_struct capdata[2];
116 
117     /* check arguments */
118     if (argc < 2) {
119         usage();
120     }
121 
122     /* check userid of caller - must be 'shell' or 'root' */
123     myuid = getuid();
124     if (myuid != AID_SHELL && myuid != AID_ROOT) {
125         panic("only 'shell' or 'root' users can run this program\n");
126     }
127 
128     memset(&capheader, 0, sizeof(capheader));
129     memset(&capdata, 0, sizeof(capdata));
130     capheader.version = _LINUX_CAPABILITY_VERSION_3;
131     capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
132     capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
133     capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
134     capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
135 
136     if (capset(&capheader, &capdata[0]) < 0) {
137         panic("Could not set capabilities: %s\n", strerror(errno));
138     }
139 
140     pkgname = argv[1];
141 
142     /* get user_id from command line if provided */
143     if ((argc >= 4) && !strcmp(argv[2], "--user")) {
144         userId = atoi(argv[3]);
145         if (userId < 0)
146             panic("Negative user id %d is provided\n", userId);
147         commandArgvOfs += 2;
148     }
149 
150     /* retrieve package information from system (does setegid) */
151     if (get_package_info(pkgname, userId, &info) < 0) {
152         panic("Package '%s' is unknown\n", pkgname);
153     }
154 
155     /* verify that user id is not too big. */
156     if ((UID_MAX - info.uid) / AID_USER < (uid_t)userId) {
157         panic("User id %d is too big\n", userId);
158     }
159 
160     /* calculate user app ID. */
161     userAppId = (AID_USER * userId) + info.uid;
162 
163     /* reject system packages */
164     if (userAppId < AID_APP) {
165         panic("Package '%s' is not an application\n", pkgname);
166     }
167 
168     /* reject any non-debuggable package */
169     if (!info.isDebuggable) {
170         panic("Package '%s' is not debuggable\n", pkgname);
171     }
172 
173     /* check that the data directory path is valid */
174     if (check_data_path(info.dataDir, userAppId) < 0) {
175         panic("Package '%s' has corrupt installation\n", pkgname);
176     }
177 
178     /* Ensure that we change all real/effective/saved IDs at the
179      * same time to avoid nasty surprises.
180      */
181     uid = gid = userAppId;
182     if(setresgid(gid,gid,gid) || setresuid(uid,uid,uid)) {
183         panic("Permission denied\n");
184     }
185 
186     /* Required if caller has uid and gid all non-zero */
187     memset(&capdata, 0, sizeof(capdata));
188     if (capset(&capheader, &capdata[0]) < 0) {
189         panic("Could not clear all capabilities: %s\n", strerror(errno));
190     }
191 
192     if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) {
193         panic("Could not set SELinux security context: %s\n", strerror(errno));
194     }
195 
196     /* cd into the data directory */
197     if (TEMP_FAILURE_RETRY(chdir(info.dataDir)) < 0) {
198         panic("Could not cd to package's data directory: %s\n", strerror(errno));
199     }
200 
201     /* User specified command for exec. */
202     if ((argc >= commandArgvOfs + 1) &&
203         (execvp(argv[commandArgvOfs], argv+commandArgvOfs) < 0)) {
204         panic("exec failed for %s: %s\n", argv[commandArgvOfs], strerror(errno));
205     }
206 
207     /* Default exec shell. */
208     execlp("/system/bin/sh", "sh", NULL);
209 
210     panic("exec failed: %s\n", strerror(errno));
211 }
212