Loading adb/Android.mk +4 −1 Original line number Diff line number Diff line Loading @@ -346,6 +346,9 @@ LOCAL_STATIC_LIBRARIES := \ libsquashfs_utils \ libcutils \ libbase \ libcrypto_static libcrypto_static \ libminijail \ libminijail_generated \ libcap include $(BUILD_EXECUTABLE) adb/daemon/main.cpp +25 −15 Original line number Diff line number Diff line Loading @@ -25,8 +25,12 @@ #include <getopt.h> #include <sys/prctl.h> #include <memory> #include <android-base/logging.h> #include <android-base/stringprintf.h> #include <libminijail.h> #include "cutils/properties.h" #include "private/android_filesystem_config.h" #include "selinux/android.h" Loading Loading @@ -103,6 +107,9 @@ static bool should_drop_privileges() { } static void drop_privileges(int server_port) { std::unique_ptr<minijail, void (*)(minijail*)> jail(minijail_new(), &minijail_destroy); // Add extra groups: // AID_ADB to access the USB driver // AID_LOG to read system logs (adb logcat) Loading @@ -117,25 +124,28 @@ static void drop_privileges(int server_port) { AID_INET, AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS, AID_READPROC}; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) { PLOG(FATAL) << "Could not set supplemental groups"; if (minijail_set_supplementary_gids( jail.get(), sizeof(groups) / sizeof(groups[0]), groups) != 0) { LOG(FATAL) << "Could not configure supplementary groups"; } /* don't listen on a port (default 5037) if running in secure mode */ /* don't run as root if we are running in secure mode */ // Don't listen on a port (default 5037) if running in secure mode. // Don't run as root if running in secure mode. if (should_drop_privileges()) { drop_capabilities_bounding_set_if_needed(); /* then switch user and group to "shell" */ if (setgid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setgid"; } if (setuid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setuid"; } minijail_change_gid(jail.get(), AID_SHELL); minijail_change_uid(jail.get(), AID_SHELL); // minijail_enter() will abort if any priv-dropping step fails. minijail_enter(jail.get()); D("Local port disabled"); } else { // minijail_enter() will abort if any priv-dropping step fails. minijail_enter(jail.get()); if (root_seclabel != nullptr) { if (selinux_android_setcon(root_seclabel) < 0) { LOG(FATAL) << "Could not set SELinux context"; Loading Loading
adb/Android.mk +4 −1 Original line number Diff line number Diff line Loading @@ -346,6 +346,9 @@ LOCAL_STATIC_LIBRARIES := \ libsquashfs_utils \ libcutils \ libbase \ libcrypto_static libcrypto_static \ libminijail \ libminijail_generated \ libcap include $(BUILD_EXECUTABLE)
adb/daemon/main.cpp +25 −15 Original line number Diff line number Diff line Loading @@ -25,8 +25,12 @@ #include <getopt.h> #include <sys/prctl.h> #include <memory> #include <android-base/logging.h> #include <android-base/stringprintf.h> #include <libminijail.h> #include "cutils/properties.h" #include "private/android_filesystem_config.h" #include "selinux/android.h" Loading Loading @@ -103,6 +107,9 @@ static bool should_drop_privileges() { } static void drop_privileges(int server_port) { std::unique_ptr<minijail, void (*)(minijail*)> jail(minijail_new(), &minijail_destroy); // Add extra groups: // AID_ADB to access the USB driver // AID_LOG to read system logs (adb logcat) Loading @@ -117,25 +124,28 @@ static void drop_privileges(int server_port) { AID_INET, AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS, AID_READPROC}; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) { PLOG(FATAL) << "Could not set supplemental groups"; if (minijail_set_supplementary_gids( jail.get(), sizeof(groups) / sizeof(groups[0]), groups) != 0) { LOG(FATAL) << "Could not configure supplementary groups"; } /* don't listen on a port (default 5037) if running in secure mode */ /* don't run as root if we are running in secure mode */ // Don't listen on a port (default 5037) if running in secure mode. // Don't run as root if running in secure mode. if (should_drop_privileges()) { drop_capabilities_bounding_set_if_needed(); /* then switch user and group to "shell" */ if (setgid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setgid"; } if (setuid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setuid"; } minijail_change_gid(jail.get(), AID_SHELL); minijail_change_uid(jail.get(), AID_SHELL); // minijail_enter() will abort if any priv-dropping step fails. minijail_enter(jail.get()); D("Local port disabled"); } else { // minijail_enter() will abort if any priv-dropping step fails. minijail_enter(jail.get()); if (root_seclabel != nullptr) { if (selinux_android_setcon(root_seclabel) < 0) { LOG(FATAL) << "Could not set SELinux context"; Loading
