Commit Graph

22 Commits

Author SHA1 Message Date
Jorge Lucangeli Obes a377ff0d4a run-as: Use Minijail for privilege dropping.
Arguably, we don't need a ScopedMinijail for a program that only execs,
but I'd rather keep the code consistent and have all uses of Minijail
be good examples.

Bug: 30156807

Change-Id: I08a968835e0f3e2afcd5e7736626edbed658cde2
2016-07-19 11:03:52 -04:00
Elliott Hughes 0c8bf5798f Switch run-as to libpackagelistparser.
We already have to have a Java and a native implementation; we don't
need _two_ native implementations.

Change-Id: I0201205ce5079ef9c747abc37b0c8122cf8fb136
2016-07-07 16:50:32 -07:00
Elliott Hughes a372f6f241 Fix the run-as environment to better match su.
$USER and $LOGNAME along with $HOME were just plain wrong (leading to a
misleading interactive prompt), and it probably makes sense to reset the
variables that su would reset.

Bug: https://code.google.com/p/android/issues/detail?id=187438
Change-Id: I0404511453d371f36801f0212a8d72d93f0bc8ac
2015-11-03 14:31:46 -08:00
Oleksiy Vyalov a08d313bb8 Extend run-as with optional --user argument.
1. Calculate AID for spawned process as (100000 * $user) + uid_from_packages.list
2. Use /data/user/$user/$packageDir as a root of a new process if $user != 0.

Change-Id: I761dfb481114bd51e5a950307fcaf403e96eef10
(cherry picked from commit da31778f3b)
2015-06-10 12:09:10 -07:00
Mark Salyzyn 68ffc74e32 package missing include for string.h
package.c gets string.h inherited from
private/android_filesystem_config.h it should
not rely on this in the future. The intent is
to move fs_config function into libcutils and
thus deprecate any need for string.h in this
include file.

Bug: 19908228
Change-Id: I5db6d0a88c5b1eb9f582284e9bdd220c096ea69a
2015-04-01 11:15:37 -07:00
Mark Salyzyn db5334ad03 run-as: bracket capability
- do not assume that caller has granted effective bits in capabilities
- only elevate capabilities when needed
- suppress capabilities before exec when called as shell,shell,shell
- some Android coding standard cleanup

Bug: 19908228
Change-Id: Ibe3d1c1a0fdcb54c41d7a72395e50ad749df98ce
2015-03-31 09:44:48 -07:00
Mark Salyzyn 2e6e2713fb run-as: build 1161573 failure
- pointer to integer comparison.

Change-Id: I4a12c357ff5eaf2fc08c19c9efe7e2d7cb0dbe2e
2014-05-08 21:18:23 +00:00
Mark Salyzyn b9f5a2b9a0 run-as: turn on -Werror
- remove an abandoned code fragment

Change-Id: I32d4ad820772685c680d200dc00ef11d102c76bd
2014-05-07 16:56:21 -07:00
Alex Klyubin 5f39562466 am aed27f80: am b0739c66: Fix run-as which was broken in Android 4.3
* commit 'aed27f8018e4365aa52a5dd8e89c4db2df0273c5':
  Fix run-as which was broken in Android 4.3
2013-08-28 13:11:00 -07:00
Alex Klyubin b0739c662d Fix run-as which was broken in Android 4.3
In Android 4.3 the run-as binary no longer has the SUID/SGID bits
set. Instead, it requires to be installed with setuid and setgid
file-based capabilities. As a result of the above two changes, the
binary no longer executes as root when invoked by the "shell" user
but can still change its UID/GID to that of the target package.

Unfortunately, run-as attempts to chdir into the target package's
data directory before changing its effective UID/GID. As a result,
when run-as is invoked by the "shell" user, the chdir operation
fails.

The fix is for run-as to chdir after changing the effective UID/GID
to those of the target package.

Bug: 10154652

(cherry picked from commit f2904a7b63)

Change-Id: I0f6cb9efd49f5c2c491f7aa1d614d700a5ec2304
2013-08-21 12:15:27 -07:00
Alex Klyubin 18860c5249 Enable run-as to read packages.list now owned by package_info.
The group ownership of the package database
/data/system/packages.list read by run-as was changed in
977a9f3b1a from "system" to
"package_info". run-as currently changes its effective group to
"system" and is thus unable to read the database.

This CL fixes the issue by making run-as change its effective group
to "package_info" for reading the package database.

Bug: 10411916
Change-Id: Id23059bfb5b43264824917873a31c287f057ce4e
2013-08-20 15:16:31 -07:00
Jeff Sharkey 977a9f3b1a Add legacy layout support to FUSE, enforce write.
The legacy internal layout places users at the top-level of the
filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested.

Mirror single OBB directory between all users without requiring fancy
bind mounts by letting a nodes graft in another part of the
underlying tree.

Move to everything having "sdcard_r" GID by default, and verify that
calling apps hold "sdcard_rw" when performing mutations. Determines
app group membership from new packages.list column.

Flag to optionally enable sdcard_pics/sdcard_av permissions
splitting. Flag to supply a default GID for all files. Ignore
attempts to access security sensitive files. Fix run-as to check for
new "package_info" GID.

Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
2013-08-14 12:01:38 -07:00
Geremy Condra 46e8991209 am f19e045c: am c8df252f: Merge "run-as: Get seinfo from packages.list and pass to libselinux."
* commit 'f19e045c58dafbdc46e848ec5a5c935f472dea34':
  run-as: Get seinfo from packages.list and pass to libselinux.
2013-03-28 14:32:49 -07:00
Robert Craig fced3ded83 run-as: Get seinfo from packages.list and pass to libselinux.
Change allows the proper seinfo value to be passed
to libselinux to switch to the proper app security
context before running the shell.

Change-Id: I9d7ea47c920b1bc09a19008345ed7fd0aa426e87
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-28 06:04:39 -04:00
Colin Cross 7c646cd359 am af4ececc: am 515bed0e: Merge "run-as: set the SELinux security context."
* commit 'af4ececc7bd10aec1240acfbfe7756ab8ee16883':
  run-as:  set the SELinux security context.
2013-03-05 18:52:28 +00:00
Nick Kralevich 080427e4e2 adb: drop capability bounding set on user builds
run-as: don't require CAP_DAC_OVERRIDE.

Prevent an adb spawned application from acquiring capabilities
other than

* CAP_NET_RAW
* CAP_SETUID
* CAP_SETGID

The only privileged programs accessible on user builds are
* /system/bin/ping
* /system/bin/run-as

and the capabilities above are sufficient to cover those
two programs.

If the kernel doesn't support file capabilities, we ignore
a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could
become a fatal error.

Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a
2013-02-15 21:22:19 -08:00
Stephen Smalley 4ead8beac8 run-as: set the SELinux security context.
Before invoking the specified command or a shell, set the
SELinux security context.

Change-Id: Ifc7f91aed9d298290b95d771484b322ed7a4c594
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-13 12:56:48 -05:00
Nick Kralevich 4ae7716072 do more checks on packages.list
Change-Id: I16d6eab5e674c860be915fde2da7877994bed314
2012-02-09 11:22:33 -08:00
Nick Kralevich b2d8f896b6 Don't statically compile run-as
Bug: 5904033
Change-Id: Ie815f09a2bf51ad583ded82f652d162a7f70b87e
2012-01-23 11:10:06 -08:00
David 'Digit' Turner 5792ce79cc run-as: use mmap to read package list file
This patch uses mmap() to read /data/system/packages.list

This avoids depending on the size of a fixed static buffer
which may happen to be too short for systems with a lot of
packages installed.

Also avoids calling malloc() which we don't want to trust here
since run-as is a setuid program.

Change-Id: I1d640a08b5d73af2fc80546b01c8d970c7f6b514
2011-12-06 14:22:30 -08:00
David 'Digit' Turner 93d81ef7a1 run-as: Bump the size of the internal packages list buffer.
This patch increases the size of the internal buffer used by run-as
to store the content of /data/system/packages.list from 8KB to 64KB.

It has been reported that, on some systems, 8KB was too small. This
resulted in a truncated file being loaded, and the inability to debug
native applications properly (either because the application was not
found in the list, or because the tool reported a 'corrupted
installation' due to BAD_FORMAT issues when parsing the truncated
file).

See http://code.google.com/p/android/issues/detail?id=16391

Change-Id: I0c35a61b163c4abc6f1a2681adc0ef0d76493171
2011-06-06 12:43:01 +02:00
David 'Digit' Turner 1f4d95296a Add 'run-as' command implementation as set-uid program.
Typical usage is 'run-as <package-name> <command>' to run <command>
in the data directory, and the user id, of <package-name> if, and only
if <package-name> is the name of an installed and debuggable application.

This relies on the /data/system/packages.list file generated by the
PackageManager service.

BEWARE: This is intended to be available on production devices !
2010-03-17 11:02:08 -07:00