1 /*
2 **
3 ** Copyright 2010, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 ** http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 #include <errno.h>
18 #include <fcntl.h>
19 #include <stdio.h>
20 #include <string.h>
21 #include <sys/mman.h>
22 #include <sys/stat.h>
23 #include <unistd.h>
24
25 #include <private/android_filesystem_config.h>
26 #include "package.h"
27
28 /*
29 * WARNING WARNING WARNING WARNING
30 *
31 * The following code runs as root on production devices, before
32 * the run-as command has dropped the uid/gid. Hence be very
33 * conservative and keep in mind the following:
34 *
35 * - Performance does not matter here, clarity and safety of the code
36 * does however. Documentation is a must.
37 *
38 * - Avoid calling C library functions with complex implementations
39 * like malloc() and printf(). You want to depend on simple system
40 * calls instead, which behaviour is not going to be altered in
41 * unpredictible ways by environment variables or system properties.
42 *
43 * - Do not trust user input and/or the filesystem whenever possible.
44 *
45 */
46
47 /* The file containing the list of installed packages on the system */
48 #define PACKAGES_LIST_FILE "/data/system/packages.list"
49
50 /* Copy 'srclen' string bytes from 'src' into buffer 'dst' of size 'dstlen'
51 * This function always zero-terminate the destination buffer unless
52 * 'dstlen' is 0, even in case of overflow.
53 * Returns a pointer into the src string, leaving off where the copy
54 * has stopped. The copy will stop when dstlen, srclen or a null
55 * character on src has been reached.
56 */
57 static const char*
string_copy(char * dst,size_t dstlen,const char * src,size_t srclen)58 string_copy(char* dst, size_t dstlen, const char* src, size_t srclen)
59 {
60 const char* srcend = src + srclen;
61 const char* dstend = dst + dstlen;
62
63 if (dstlen == 0)
64 return src;
65
66 dstend--; /* make room for terminating zero */
67
68 while (dst < dstend && src < srcend && *src != '\0')
69 *dst++ = *src++;
70
71 *dst = '\0'; /* zero-terminate result */
72 return src;
73 }
74
75 /* Open 'filename' and map it into our address-space.
76 * Returns buffer address, or NULL on error
77 * On exit, *filesize will be set to the file's size, or 0 on error
78 */
79 static void*
map_file(const char * filename,size_t * filesize)80 map_file(const char* filename, size_t* filesize)
81 {
82 int fd, ret, old_errno;
83 struct stat st;
84 size_t length = 0;
85 void* address = NULL;
86 gid_t oldegid;
87
88 *filesize = 0;
89
90 /*
91 * Temporarily switch effective GID to allow us to read
92 * the packages file
93 */
94
95 oldegid = getegid();
96 if (setegid(AID_PACKAGE_INFO) < 0) {
97 return NULL;
98 }
99
100 /* open the file for reading */
101 fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
102 if (fd < 0) {
103 return NULL;
104 }
105
106 /* restore back to our old egid */
107 if (setegid(oldegid) < 0) {
108 goto EXIT;
109 }
110
111 /* get its size */
112 ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
113 if (ret < 0)
114 goto EXIT;
115
116 /* Ensure that the file is owned by the system user */
117 if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) {
118 goto EXIT;
119 }
120
121 /* Ensure that the file has sane permissions */
122 if ((st.st_mode & S_IWOTH) != 0) {
123 goto EXIT;
124 }
125
126 /* Ensure that the size is not ridiculously large */
127 length = (size_t)st.st_size;
128 if ((off_t)length != st.st_size) {
129 errno = ENOMEM;
130 goto EXIT;
131 }
132
133 /* Memory-map the file now */
134 do {
135 address = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, 0);
136 } while (address == MAP_FAILED && errno == EINTR);
137 if (address == MAP_FAILED) {
138 address = NULL;
139 goto EXIT;
140 }
141
142 /* We're good, return size */
143 *filesize = length;
144
145 EXIT:
146 /* close the file, preserve old errno for better diagnostics */
147 old_errno = errno;
148 close(fd);
149 errno = old_errno;
150
151 return address;
152 }
153
154 /* unmap the file, but preserve errno */
155 static void
unmap_file(void * address,size_t size)156 unmap_file(void* address, size_t size)
157 {
158 int old_errno = errno;
159 TEMP_FAILURE_RETRY(munmap(address, size));
160 errno = old_errno;
161 }
162
163 /* Check that a given directory:
164 * - exists
165 * - is owned by a given uid/gid
166 * - is a real directory, not a symlink
167 * - isn't readable or writable by others
168 *
169 * Return 0 on success, or -1 on error.
170 * errno is set to EINVAL in case of failed check.
171 */
172 static int
check_directory_ownership(const char * path,uid_t uid)173 check_directory_ownership(const char* path, uid_t uid)
174 {
175 int ret;
176 struct stat st;
177
178 do {
179 ret = lstat(path, &st);
180 } while (ret < 0 && errno == EINTR);
181
182 if (ret < 0)
183 return -1;
184
185 /* /data/user/0 is a known safe symlink */
186 if (strcmp("/data/user/0", path) == 0)
187 return 0;
188
189 /* must be a real directory, not a symlink */
190 if (!S_ISDIR(st.st_mode))
191 goto BAD;
192
193 /* must be owned by specific uid/gid */
194 if (st.st_uid != uid || st.st_gid != uid)
195 goto BAD;
196
197 /* must not be readable or writable by others */
198 if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0)
199 goto BAD;
200
201 /* everything ok */
202 return 0;
203
204 BAD:
205 errno = EINVAL;
206 return -1;
207 }
208
209 /* This function is used to check the data directory path for safety.
210 * We check that every sub-directory is owned by the 'system' user
211 * and exists and is not a symlink. We also check that the full directory
212 * path is properly owned by the user ID.
213 *
214 * Return 0 on success, -1 on error.
215 */
216 int
check_data_path(const char * dataPath,uid_t uid)217 check_data_path(const char* dataPath, uid_t uid)
218 {
219 int nn;
220
221 /* the path should be absolute */
222 if (dataPath[0] != '/') {
223 errno = EINVAL;
224 return -1;
225 }
226
227 /* look for all sub-paths, we do that by finding
228 * directory separators in the input path and
229 * checking each sub-path independently
230 */
231 for (nn = 1; dataPath[nn] != '\0'; nn++)
232 {
233 char subpath[PATH_MAX];
234
235 /* skip non-separator characters */
236 if (dataPath[nn] != '/')
237 continue;
238
239 /* handle trailing separator case */
240 if (dataPath[nn+1] == '\0') {
241 break;
242 }
243
244 /* found a separator, check that dataPath is not too long. */
245 if (nn >= (int)(sizeof subpath)) {
246 errno = EINVAL;
247 return -1;
248 }
249
250 /* reject any '..' subpath */
251 if (nn >= 3 &&
252 dataPath[nn-3] == '/' &&
253 dataPath[nn-2] == '.' &&
254 dataPath[nn-1] == '.') {
255 errno = EINVAL;
256 return -1;
257 }
258
259 /* copy to 'subpath', then check ownership */
260 memcpy(subpath, dataPath, nn);
261 subpath[nn] = '\0';
262
263 if (check_directory_ownership(subpath, AID_SYSTEM) < 0)
264 return -1;
265 }
266
267 /* All sub-paths were checked, now verify that the full data
268 * directory is owned by the application uid
269 */
270 if (check_directory_ownership(dataPath, uid) < 0)
271 return -1;
272
273 /* all clear */
274 return 0;
275 }
276
277 /* Return TRUE iff a character is a space or tab */
278 static inline int
is_space(char c)279 is_space(char c)
280 {
281 return (c == ' ' || c == '\t');
282 }
283
284 /* Skip any space or tab character from 'p' until 'end' is reached.
285 * Return new position.
286 */
287 static const char*
skip_spaces(const char * p,const char * end)288 skip_spaces(const char* p, const char* end)
289 {
290 while (p < end && is_space(*p))
291 p++;
292
293 return p;
294 }
295
296 /* Skip any non-space and non-tab character from 'p' until 'end'.
297 * Return new position.
298 */
299 static const char*
skip_non_spaces(const char * p,const char * end)300 skip_non_spaces(const char* p, const char* end)
301 {
302 while (p < end && !is_space(*p))
303 p++;
304
305 return p;
306 }
307
308 /* Find the first occurence of 'ch' between 'p' and 'end'
309 * Return its position, or 'end' if none is found.
310 */
311 static const char*
find_first(const char * p,const char * end,char ch)312 find_first(const char* p, const char* end, char ch)
313 {
314 while (p < end && *p != ch)
315 p++;
316
317 return p;
318 }
319
320 /* Check that the non-space string starting at 'p' and eventually
321 * ending at 'end' equals 'name'. Return new position (after name)
322 * on success, or NULL on failure.
323 *
324 * This function fails is 'name' is NULL, empty or contains any space.
325 */
326 static const char*
compare_name(const char * p,const char * end,const char * name)327 compare_name(const char* p, const char* end, const char* name)
328 {
329 /* 'name' must not be NULL or empty */
330 if (name == NULL || name[0] == '\0' || p == end)
331 return NULL;
332
333 /* compare characters to those in 'name', excluding spaces */
334 while (*name) {
335 /* note, we don't check for *p == '\0' since
336 * it will be caught in the next conditional.
337 */
338 if (p >= end || is_space(*p))
339 goto BAD;
340
341 if (*p != *name)
342 goto BAD;
343
344 p++;
345 name++;
346 }
347
348 /* must be followed by end of line or space */
349 if (p < end && !is_space(*p))
350 goto BAD;
351
352 return p;
353
354 BAD:
355 return NULL;
356 }
357
358 /* Parse one or more whitespace characters starting from '*pp'
359 * until 'end' is reached. Updates '*pp' on exit.
360 *
361 * Return 0 on success, -1 on failure.
362 */
363 static int
parse_spaces(const char ** pp,const char * end)364 parse_spaces(const char** pp, const char* end)
365 {
366 const char* p = *pp;
367
368 if (p >= end || !is_space(*p)) {
369 errno = EINVAL;
370 return -1;
371 }
372 p = skip_spaces(p, end);
373 *pp = p;
374 return 0;
375 }
376
377 /* Parse a positive decimal number starting from '*pp' until 'end'
378 * is reached. Adjust '*pp' on exit. Return decimal value or -1
379 * in case of error.
380 *
381 * If the value is larger than INT_MAX, -1 will be returned,
382 * and errno set to EOVERFLOW.
383 *
384 * If '*pp' does not start with a decimal digit, -1 is returned
385 * and errno set to EINVAL.
386 */
387 static int
parse_positive_decimal(const char ** pp,const char * end)388 parse_positive_decimal(const char** pp, const char* end)
389 {
390 const char* p = *pp;
391 int value = 0;
392 int overflow = 0;
393
394 if (p >= end || *p < '0' || *p > '9') {
395 errno = EINVAL;
396 return -1;
397 }
398
399 while (p < end) {
400 int ch = *p;
401 unsigned d = (unsigned)(ch - '0');
402 int val2;
403
404 if (d >= 10U) /* d is unsigned, no lower bound check */
405 break;
406
407 val2 = value*10 + (int)d;
408 if (val2 < value)
409 overflow = 1;
410 value = val2;
411 p++;
412 }
413 *pp = p;
414
415 if (overflow) {
416 errno = EOVERFLOW;
417 value = -1;
418 }
419 return value;
420 }
421
422 /* Read the system's package database and extract information about
423 * 'pkgname'. Return 0 in case of success, or -1 in case of error.
424 *
425 * If the package is unknown, return -1 and set errno to ENOENT
426 * If the package database is corrupted, return -1 and set errno to EINVAL
427 */
428 int
get_package_info(const char * pkgName,uid_t userId,PackageInfo * info)429 get_package_info(const char* pkgName, uid_t userId, PackageInfo *info)
430 {
431 char* buffer;
432 size_t buffer_len;
433 const char* p;
434 const char* buffer_end;
435 int result = -1;
436
437 info->uid = 0;
438 info->isDebuggable = 0;
439 info->dataDir[0] = '\0';
440 info->seinfo[0] = '\0';
441
442 buffer = map_file(PACKAGES_LIST_FILE, &buffer_len);
443 if (buffer == NULL)
444 return -1;
445
446 p = buffer;
447 buffer_end = buffer + buffer_len;
448
449 /* expect the following format on each line of the control file:
450 *
451 * <pkgName> <uid> <debugFlag> <dataDir> <seinfo>
452 *
453 * where:
454 * <pkgName> is the package's name
455 * <uid> is the application-specific user Id (decimal)
456 * <debugFlag> is 1 if the package is debuggable, or 0 otherwise
457 * <dataDir> is the path to the package's data directory (e.g. /data/data/com.example.foo)
458 * <seinfo> is the seinfo label associated with the package
459 *
460 * The file is generated in com.android.server.PackageManagerService.Settings.writeLP()
461 */
462
463 while (p < buffer_end) {
464 /* find end of current line and start of next one */
465 const char* end = find_first(p, buffer_end, '\n');
466 const char* next = (end < buffer_end) ? end + 1 : buffer_end;
467 const char* q;
468 int uid, debugFlag;
469
470 /* first field is the package name */
471 p = compare_name(p, end, pkgName);
472 if (p == NULL)
473 goto NEXT_LINE;
474
475 /* skip spaces */
476 if (parse_spaces(&p, end) < 0)
477 goto BAD_FORMAT;
478
479 /* second field is the pid */
480 uid = parse_positive_decimal(&p, end);
481 if (uid < 0)
482 return -1;
483
484 info->uid = (uid_t) uid;
485
486 /* skip spaces */
487 if (parse_spaces(&p, end) < 0)
488 goto BAD_FORMAT;
489
490 /* third field is debug flag (0 or 1) */
491 debugFlag = parse_positive_decimal(&p, end);
492 switch (debugFlag) {
493 case 0:
494 info->isDebuggable = 0;
495 break;
496 case 1:
497 info->isDebuggable = 1;
498 break;
499 default:
500 goto BAD_FORMAT;
501 }
502
503 /* skip spaces */
504 if (parse_spaces(&p, end) < 0)
505 goto BAD_FORMAT;
506
507 /* fourth field is data directory path and must not contain
508 * spaces.
509 */
510 q = skip_non_spaces(p, end);
511 if (q == p)
512 goto BAD_FORMAT;
513
514 /* If userId == 0 (i.e. user is device owner) we can use dataDir value
515 * from packages.list, otherwise compose data directory as
516 * /data/user/$uid/$packageId
517 */
518 if (userId == 0) {
519 p = string_copy(info->dataDir, sizeof info->dataDir, p, q - p);
520 } else {
521 snprintf(info->dataDir,
522 sizeof info->dataDir,
523 "/data/user/%d/%s",
524 userId,
525 pkgName);
526 p = q;
527 }
528
529 /* skip spaces */
530 if (parse_spaces(&p, end) < 0)
531 goto BAD_FORMAT;
532
533 /* fifth field is the seinfo string */
534 q = skip_non_spaces(p, end);
535 if (q == p)
536 goto BAD_FORMAT;
537
538 string_copy(info->seinfo, sizeof info->seinfo, p, q - p);
539
540 /* Ignore the rest */
541 result = 0;
542 goto EXIT;
543
544 NEXT_LINE:
545 p = next;
546 }
547
548 /* the package is unknown */
549 errno = ENOENT;
550 result = -1;
551 goto EXIT;
552
553 BAD_FORMAT:
554 errno = EINVAL;
555 result = -1;
556
557 EXIT:
558 unmap_file(buffer, buffer_len);
559 return result;
560 }
561