adbd: lessen security constraints when the device is unlocked

ALLOW_ADBD_ROOT ('adb root') and ALLOW_ADBD_NO_AUTH (ro.adb.secure = 0) are false in user build. This prevents a non-A/B device from running Treble VTS because it requires 'adb root'. Without ALLOW_ADBD_NO_AUTH, adb still can work if ro.adb.secure = 1. However, allowing it to be 0 is better for test automation. The image combination in VTS is: - system.img (userdebug): provided by Googlg - boot.img (user): provided by the OEM <-- adbd is here - vendor.img (user): provided by the OEM This change allows 'adb root' and 'ro.adb.secure = 0' when the device is unlocked in user build. No changes for userdebug/eng builds. Note that the device must be unlocked when running VTS. Otherwise, verified boot will prevent it from booting the system.img provided by Google (no verity metadata). Bug: 63313955 Bug: 63381692 Test: use the above image combination, check 'adb root' and 'ro.adb.secure = 0' can work Change-Id: I109d96c950e54c4fb0ac0c98b989a20593681e52
2017-07-11 21:47:54 +08:00 · 2017-07-11 21:47:54 +08:00 · f1d3dbc32f
parent 420eabe3b3
commit f1d3dbc32f
2 changed files with 16 additions and 10 deletions
--- a/adb/Android.mk
+++ b/adb/Android.mk
@ -350,11 +350,11 @@ LOCAL_CFLAGS := \
    -D_GNU_SOURCE \
    -Wno-deprecated-declarations \

+LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
 LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)

 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
 LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
-LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
 endif

 LOCAL_MODULE := adbd
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@ -49,17 +49,23 @@

 static const char* root_seclabel = nullptr;

+static inline bool is_device_unlocked() {
+    return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
+}
+
 static void drop_capabilities_bounding_set_if_needed(struct minijail *j) {
-#if defined(ALLOW_ADBD_ROOT)
-    if (__android_log_is_debuggable()) {
-        return;
+    if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
+        if (__android_log_is_debuggable()) {
+            return;
+        }
    }
-#endif
    minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
 }

 static bool should_drop_privileges() {
-#if defined(ALLOW_ADBD_ROOT)
+    // "adb root" not allowed, always drop privileges.
+    if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
+
    // The properties that affect `adb root` and `adb unroot` are ro.secure and
    // ro.debuggable. In this context the names don't make the expected behavior
    // particularly obvious.
@ -89,9 +95,6 @@ static bool should_drop_privileges() {
    }

    return drop;
-#else
-    return true; // "adb root" not allowed, always drop privileges.
-#endif // ALLOW_ADBD_ROOT
 }

 static void drop_privileges(int server_port) {
@ -158,7 +161,10 @@ int adbd_main(int server_port) {
    // descriptor will always be open.
    adbd_cloexec_auth_socket();

-    if (ALLOW_ADBD_NO_AUTH && !android::base::GetBoolProperty("ro.adb.secure", false)) {
+    // Respect ro.adb.secure in userdebug/eng builds (ALLOW_ADBD_NO_AUTH), or when the
+    // device is unlocked.
+    if ((ALLOW_ADBD_NO_AUTH || is_device_unlocked()) &&
+        !android::base::GetBoolProperty("ro.adb.secure", false)) {
        auth_required = false;
    }