Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 080427e4 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

adb: drop capability bounding set on user builds 

run-as: don't require CAP_DAC_OVERRIDE.

Prevent an adb spawned application from acquiring capabilities
other than

* CAP_NET_RAW
* CAP_SETUID
* CAP_SETGID

The only privileged programs accessible on user builds are
* /system/bin/ping
* /system/bin/run-as

and the capabilities above are sufficient to cover those
two programs.

If the kernel doesn't support file capabilities, we ignore
a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could
become a fatal error.

Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a
parent bcfa9106

adb/adb.c

+29 −0
Original line number Original line Diff line number Diff line
@@ -1184,6 +1184,33 @@ void build_local_name(char* target_str, size_t target_size, int server_port) 
}

}





#if !ADB_HOST

#if !ADB_HOST



static void drop_capabilities_bounding_set_if_needed() {

#ifdef ALLOW_ADBD_ROOT

    char value[PROPERTY_VALUE_MAX];

    property_get("ro.debuggable", value, "");

    if (strcmp(value, "1") == 0) {

        return;

    }

#endif

    int i;

    for (i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {

        if ((i == CAP_NET_RAW) || (i == CAP_SETUID) || (i == CAP_SETGID)) {

            // CAP_NET_RAW needed by /system/bin/ping

            // CAP_SETUID CAP_SETGID needed by /system/bin/run-as

            continue;

        }

        int err = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);



        // Some kernels don't have file capabilities compiled in, and

        // prctl(PR_CAPBSET_DROP) returns EINVAL. Don't automatically

        // die when we see such misconfigured kernels.

        if ((err < 0) && (errno != EINVAL)) {

            exit(1);

        }

    }

}



static int should_drop_privileges() {

static int should_drop_privileges() {

#ifndef ALLOW_ADBD_ROOT

#ifndef ALLOW_ADBD_ROOT

    return 1;

    return 1;
@@ -1278,6 +1305,8 @@ int adb_main(int is_daemon, int server_port) 
            exit(1);

            exit(1);

        }

        }





        drop_capabilities_bounding_set_if_needed();



        /* add extra groups:

        /* add extra groups:

        ** AID_ADB to access the USB driver

        ** AID_ADB to access the USB driver

        ** AID_LOG to read system logs (adb logcat)

        ** AID_LOG to read system logs (adb logcat)

run-as/package.c

+18 −1
Original line number Original line Diff line number Diff line
@@ -76,13 +76,30 @@ map_file(const char* filename, size_t* filesize) 
    struct stat  st;

    struct stat  st;

    size_t  length = 0;

    size_t  length = 0;

    void*   address = NULL;

    void*   address = NULL;

    gid_t   oldegid;





    *filesize = 0;

    *filesize = 0;





    /*

     * Temporarily switch effective GID to allow us to read

     * the packages file

     */



    oldegid = getegid();

    if (setegid(AID_SYSTEM) < 0) {

        return NULL;

    }



    /* open the file for reading */

    /* open the file for reading */

    fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

    fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

    if (fd < 0)

    if (fd < 0) {

        return NULL;

        return NULL;

    }



    /* restore back to our old egid */

    if (setegid(oldegid) < 0) {

        goto EXIT;

    }





    /* get its size */

    /* get its size */

    ret = TEMP_FAILURE_RETRY(fstat(fd, &st));

    ret = TEMP_FAILURE_RETRY(fstat(fd, &st));