Commit Graph

11436 Commits

Author SHA1 Message Date
Nick Kralevich bc60954fae builtins.c: Don't require file open() for chmod/chown
42a9349dc4 modified init's
builtin chmod, chown, and mkdir calls to avoid following
symlinks. This addressed a number of attacks we were seeing
at the time where poorly written init scripts were following
attacker supplied symlinks resulting in rooting vulnerabilities.

To avoid race conditions, the previous implementation only ran
fchown / fchmod on file descriptors opened with open(O_NOFOLLOW).
Unfortunately, unlike the normal "chown" or "chmod" calls, this
requires read or write access to the underlying file. This
isn't ideal, as opening some files may have side effects, or
init may not have permission to open certain files (such as when
SELinux is enabled).

Instead of using open(O_NOFOLLOW) + fchown(), use lchown() instead.
As before, the target of the symlink won't be modified by chown.
This also supports setting the ownership of symlinks.

Instead of using open(O_NOFOLLOW) + fchmod(), use
fchmodat(AT_SYMLINK_NOFOLLOW) instead. As before, the target of the
symlink won't be modified by chmod.

This change will continue to ensure that chown/chmod/mkdir doesn't
follow symlinks, without requiring init to open every file in
read-only or read-write mode.

This change depends on bionic commit I1eba0cdb2c509d9193ceecf28f13118188a3cfa7

Addresses the following mako/occam SELinux denial:

  audit(1422770408.951:6): avc:  denied  { write } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=7207 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

Change-Id: I14fde956784d65c44e7aa91dd7eea9a004df3081
2015-02-02 13:45:21 -08:00
Elliott Hughes 88342c99a1 Merge "The bsddroid project has been dead since 2010." 2015-02-02 19:29:23 +00:00
Dmitriy Ivanov 7cb19579bc Merge "Add close_file flag to OpenArchiveFd()" 2015-02-02 18:48:29 +00:00
Elliott Hughes 506aea4361 The bsddroid project has been dead since 2010.
And even if it wasn't, they should probably keep this stuff in their own
repository.

Change-Id: If9fa2e47ee2700098d8a99f6986f7e89fc6dfdf3
2015-01-31 11:24:14 -08:00
Nick Kralevich d07555dba0 Merge "ensure /data/tombstones exists on all Android devices" 2015-01-31 02:06:46 +00:00
Dmitriy Ivanov 40b52b2c88 Add close_file flag to OpenArchiveFd()
* We should be able to keep fd alive after CloseArchive()

Change-Id: I1aa2c039bb2a590ae72f256acc9ba5401c2c59b1
2015-01-30 17:57:13 -08:00
Nick Kralevich 0359d778a5 ensure /data/tombstones exists on all Android devices
/data/tombstones is referenced by core platform code, but is not
guaranteed to exist on all Android devices. Move the directory
creation out of device specific files and into the core
init.rc file.

Bug: https://code.google.com/p/android/issues/detail?id=93207
Change-Id: I94ae5199a6a32c4fe555ca994fc4a8345e0c9690
2015-01-30 17:38:06 -08:00
Elliott Hughes 6b1d86322e Merge "Add missing includes." 2015-01-30 06:24:20 +00:00
Elliott Hughes 3d74d7a739 Add missing includes.
Change-Id: Iaa130c0a7eb2cbc0c8486546e5b622661b6d9e23
2015-01-29 21:31:23 -08:00
Elliott Hughes 0114e1243a Merge "Add ps --ppid." 2015-01-30 04:03:40 +00:00
Elliott Hughes b5fc3132ee Add ps --ppid.
Needed for a libcore test.

Change-Id: Ia21ecf5f7bd8be7f1882d0014d7949d40f6841a5
2015-01-29 17:20:47 -08:00
Dan Albert d170bb035d Merge "Remove fastbootd." 2015-01-29 22:48:19 +00:00
Dan Albert 71b99df503 Remove fastbootd.
Change-Id: I23240c7690763f8718c82cb0e8ffdcfa58d02629
2015-01-29 10:37:25 -08:00
Paul Lawrence 07dcb12e3e Merge changes If22008be,Id0049ce6
* changes:
  Make encryption configurable
  Provide a way to select force encryption from vendor partition
2015-01-28 21:14:09 +00:00
Elliott Hughes 06b4e9826a Merge "Add missing <malloc.h> and <string.h> includes." 2015-01-28 19:46:59 +00:00
Paul Lawrence 36d0eaecd7 Make encryption configurable
Delay mounting encryptable but unencrypted volumes until we can
check the ro.vold.forceencrypt flag, then optionally encrypt.

Requires matching vold change from
    https://googleplex-android-review.git.corp.google.com/#/c/615309/

Bug: 18764230
Change-Id: If22008be8de6a4f3216b349f81ace49be1730314
2015-01-28 11:41:53 -08:00
Paul Lawrence 2f7ee6b7dd Provide a way to select force encryption from vendor partition
This allows a vendor to force encryption on devices via a vendor
partition flag:

ro.vold.forceencryption 1

Bug: 18764230
Change-Id: Id0049ce64e34e4f6f96e593aadd70c277ac131c8
2015-01-28 11:41:35 -08:00
Elliott Hughes a744b05984 Add missing <malloc.h> and <string.h> includes.
Change-Id: Ia41756e607663d056e7d2fdd7ecbec7e5841a913
2015-01-28 11:37:57 -08:00
Sami Tolvanen 9c4c5a6ed9 Merge "Verify token length before adb signs it" 2015-01-28 14:32:52 +00:00
Elliott Hughes a034362be4 Merge "Make server port option work on windows" 2015-01-28 03:29:06 +00:00
Elliott Hughes 9e376744d3 Merge "adb: tracing: don't make strings if runtime tracing is disabled" 2015-01-28 00:05:58 +00:00
Spencer Low 0de77ffec6 adb: tracing: don't make strings if runtime tracing is disabled
If tracing was not enabled (the ADB_TRACE environment variable was not
set specially), writex() and readx() would still call dump_hex() which
would construct hex tracing strings, which would be immediately
discarded and not printed (because tracing is not enabled).

The fix is to only call dump_hex() if ADB_TRACING evalutes to true, the
same way that dump_packet() is only called if ADB_TRACING evaluates to
true.

Change-Id: I1651680da344389475ebdeea77ba1982960d5764
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
2015-01-27 15:42:14 -08:00
Yabin Cui e862350bb2 Merge "Kill HAVE_PTHREADS." 2015-01-27 22:33:28 +00:00
Yabin Cui 4a6e5a3b64 Kill HAVE_PTHREADS.
Bug: 19083585
Change-Id: Ic09eb3dd250bc5c5b63cac7998f99f5fa007f407
2015-01-27 14:23:22 -08:00
Elliott Hughes c6091d6bfd Merge "adb: Win32: set socket buffer sizes properly" 2015-01-27 18:17:40 +00:00
Sami Tolvanen 7b9c20d3b2 Verify token length before adb signs it
Currently, a host running adb will sign a token of any length passed
to it by a device, effectively acting as a signing oracle. If the
ADB_VENDOR_KEYS environment variable is used to specify an additional
key to use, this behavior is not only unexpected, but probably also
unwanted. Further discussion can be found from this thread:

  http://www.metzdowd.com/pipermail/cryptography/2015-January/024423.html

This change adds a check to ensure token length matches TOKEN_SIZE
before it's signed, which prevents an attacker from signing longer
messages.

Change-Id: I7b2cc1f051941bf9b66e1c02980850bede501793
2015-01-27 17:19:35 +00:00
Spencer Low f055c193b8 adb: Win32: set socket buffer sizes properly
On Windows, adb_socket_setbufsize() was taking a file descriptor value
from the compatibility layer in sysdeps_win32.c (namely, an index into
the _win32_fhs array) and passing it to the Winsock setsockopt() call,
which wants a Winsock SOCKET handle. Basically, adb_socket_setbufsize()
was passing `fd` instead of `_fh_from_int(fd)->fh_socket`, resulting in
adb effectively setting a socket buffer size on a random socket in the
process.

The fix is to introduce adb_setsockopt() which just calls setsockopt()
on non-Win32, and which uses the Winsock SOCKET handle on Win32. The
change also moves Win32 disable_tcp_nagle() to a header and adds an
extra sanity check to adb_shutdown().

Change-Id: I4354e818d27538f7ff5b0e70b28bdb6300e1b98b
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
2015-01-26 21:56:26 -08:00
Dan Albert a76f057af8 Merge "Protect from eng vs userdebug build breaks." 2015-01-27 02:04:57 +00:00
Dan Albert 1f09bdaf59 Protect from eng vs userdebug build breaks.
Using a const bool rather than an ifdef means the compiler can still
protect us from breaking code paths that aren't included in every
build variant.

Change-Id: Ic45c8fb52cd66c3ce090d760cdb92104e31265f5
2015-01-26 17:49:17 -08:00
Dan Albert fe68578716 Merge "Fix userdebug build." 2015-01-27 01:30:24 +00:00
Dan Albert accebbfc3e Merge "Fix win_sdk build." 2015-01-27 01:16:06 +00:00
Dan Albert 030b76fc1d Fix userdebug build.
Apparently this code I thought was unused is just unused for eng
builds...

Bug: 17626262
Change-Id: I2e5f411a2ead7f23d9f5822935de66c992750a03
2015-01-26 17:14:23 -08:00
Dan Albert 4626b71057 Fix win_sdk build.
Hadn't caught this in the previous submission because I tested the
build with another change on top of it that also fixes this.

Bug: 17626262
Change-Id: Ia40127618a5466e382081760d614ff7fc09d50a3
2015-01-26 17:07:47 -08:00
Dan Albert 64a5ff963c Merge "Begin moving code from adb to libadb." 2015-01-27 00:50:49 +00:00
Dan Albert 630b9afeb0 Begin moving code from adb to libadb.
Much of adb is duplicated in bootable/recovery/minadb and fastboot.
Changes made to adb rarely get ported to the other two, so the trees
have diverged a bit. We'd like to stop this because it is a
maintenance nightmare, but the divergence makes this difficult to do
all at once. For now, we will start small by moving common files into
a static library. Hopefully some day we can get enough of adb in here
that we no longer need minadb.

Bug: 17626262
Change-Id: Ic8d5653bfcc0fec4e1acbece124402355084b864
2015-01-26 16:45:34 -08:00
Christopher Ferris 55dfa96b1f Merge "Remove the pt_regs_mips_t structure." 2015-01-27 00:44:00 +00:00
Christopher Ferris b817094081 Remove the pt_regs_mips_t structure.
The kernel finally has the pt_regs structure properly defined for mips,
so we don't need to define it ourselves.

Change-Id: Ifdf75ed827cd2390962e9b3a182bdbbf02fe0732
2015-01-26 13:52:35 -08:00
Christopher Ferris fb538fb13d Merge "Fix the v2 descriptor handling." 2015-01-26 21:28:06 +00:00
Christopher Ferris c49f51c451 Fix the v2 descriptor handling.
There was a misinterpretation of how the v2 header works. The flags
in the header indicate what is in the rest of the structure.

Bug: 19127803

Change-Id: I5fa0dae6da51522c9afc4c94838eb6f462208683
2015-01-26 12:50:35 -08:00
Mike Lockwood 5abd3d0b79 Merge "adbd: tcpip command uses port number from uninitialized memory" 2015-01-26 19:04:43 +00:00
Spencer Low 943ef23b3d adbd: tcpip command uses port number from uninitialized memory
If you run `adb tcpip`, adbd tries to process a string of 'tcpip:' using
this code:

    } else if(!strncmp(name, "tcpip:", 6)) {
        int port;
        if (sscanf(name + 6, "%d", &port) == 0) {
            port = 0;
        }
        ret = create_service_thread(restart_tcp_service, (void *) (uintptr_t) port);

If a zero-length string is passed to sscanf(), it returns EOF (-1) which
causes the if statement to skip the block, leaving the port variable
uninitialized.

I found this by running `adb tcpip` and sometimes getting 'invalid port'
and sometimes a device would start listening on a random port number.

The fix is to check the sscanf() return value for the success case (the
number of items successfully parsed), as is already done in other parts
of the adb code. I also fixed-up another instance of the same
code-pattern in services.c.

Change-Id: I8c9c33485ad076828da0ac74f048fdad561669d3
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
2015-01-25 17:38:36 -08:00
Elliott Hughes e21d7ae89e Merge "Remove obsolete BUILD_TINY_ANDROID." 2015-01-25 16:08:06 +00:00
Elliott Hughes 110dd4b24b Remove obsolete BUILD_TINY_ANDROID.
Change-Id: I876bce99efb40cd791256535d8d6c0d046b7aeae
2015-01-24 22:39:10 -08:00
Elliott Hughes ae79cb5a81 Merge "Add missing <string.h> includes." 2015-01-25 05:06:52 +00:00
Elliott Hughes 2b7d75d2e6 Add missing <string.h> includes.
Change-Id: I3d1ad54418f69f947e2d829d63b53d44581bfd86
2015-01-24 20:03:09 -08:00
Elliott Hughes d098493293 Merge "Remove obsolete BUILD_TINY_ANDROID check from libsysutils makefile" 2015-01-24 18:06:26 +00:00
Trevor Drake d1ad84cfa4 Remove obsolete BUILD_TINY_ANDROID check from libsysutils makefile
Change-Id: I3cd1430b1555a5cd27b31ed3eebc1663f43e7b3b
2015-01-24 07:02:50 +00:00
Elliott Hughes 492dd1e5c1 Merge "Remove obsolete BUILD_TINY_ANDROID check from healthd makefile" 2015-01-24 05:22:14 +00:00
Trevor Drake 27d53d3d86 Remove obsolete BUILD_TINY_ANDROID check from healthd makefile
Change-Id: I7e23236e7725891d07368dd8ea8d667014d7dc78
2015-01-24 04:26:16 +00:00
Chih-Hung Hsieh cb4ae20d72 Merge "Enable clang for init, after fix of global .mk files." 2015-01-24 01:14:23 +00:00