Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d076857c authored by Josh Gao's avatar Josh Gao
Browse files

adbd: remove ifdefs guarding root/secure. 

The same adbd module prebuilt will get used for both user and userdebug
builds in the post-APEX world, so we can't guard functionality with
product variable ifdefs anymore.

The code that was previously compiled out runs before we drop root, so
the increased attack surface essentially consists of an attacker having
control over system properties, and that likely implies that we're
doomed already (either they have filesystem control, or they have code
execution in init).

Bug: http://b/158156979
Test: treehugger
Change-Id: Ia70d3140189e5212beb813ff719355e30ca5fa04
parent a8b8d108

adb/Android.bp

+0 −11
Original line number Diff line number Diff line
@@ -25,7 +25,6 @@ cc_defaults { 
        "-Wthread-safety",

        "-Wvla",

        "-DADB_HOST=1",         // overridden by adbd_defaults

        "-DALLOW_ADBD_ROOT=0",  // overridden by adbd_defaults

        "-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1",

    ],

    cpp_std: "experimental",
@@ -81,16 +80,6 @@ cc_defaults { 
    defaults: ["adb_defaults"],



    cflags: ["-UADB_HOST", "-DADB_HOST=0"],

    product_variables: {

        debuggable: {

            cflags: [

                "-UALLOW_ADBD_ROOT",

                "-DALLOW_ADBD_ROOT=1",

                "-DALLOW_ADBD_DISABLE_VERITY",

                "-DALLOW_ADBD_NO_AUTH",

            ],

        },

    },

}



cc_defaults {

adb/daemon/main.cpp

+5 −26
Original line number Diff line number Diff line
@@ -62,23 +62,7 @@ 
#if defined(__ANDROID__)

static const char* root_seclabel = nullptr;



static inline bool is_device_unlocked() {

    return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");

}



static bool should_drop_capabilities_bounding_set() {

    if (ALLOW_ADBD_ROOT || is_device_unlocked()) {

        if (__android_log_is_debuggable()) {

            return false;

        }

    }

    return true;

}



static bool should_drop_privileges() {

    // "adb root" not allowed, always drop privileges.

    if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;



    // The properties that affect `adb root` and `adb unroot` are ro.secure and

    // ro.debuggable. In this context the names don't make the expected behavior

    // particularly obvious.
@@ -132,7 +116,7 @@ static void drop_privileges(int server_port) { 
    // Don't listen on a port (default 5037) if running in secure mode.

    // Don't run as root if running in secure mode.

    if (should_drop_privileges()) {

        const bool should_drop_caps = should_drop_capabilities_bounding_set();

        const bool should_drop_caps = !__android_log_is_debuggable();



        if (should_drop_caps) {

            minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
@@ -218,15 +202,10 @@ int adbd_main(int server_port) { 
    // descriptor will always be open.

    adbd_cloexec_auth_socket();



#if defined(__ANDROID_RECOVERY__)

    if (is_device_unlocked() || __android_log_is_debuggable()) {

        auth_required = false;

    }

#elif defined(ALLOW_ADBD_NO_AUTH)

    // If ro.adb.secure is unset, default to no authentication required.

    auth_required = android::base::GetBoolProperty("ro.adb.secure", false);

#elif defined(__ANDROID__)

    if (is_device_unlocked()) {  // allows no authentication when the device is unlocked.

#if defined(__ANDROID__)

    // If we're on userdebug/eng or the device is unlocked, permit no-authentication.

    bool device_unlocked = "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");

    if (__android_log_is_debuggable() || device_unlocked) {

        auth_required = android::base::GetBoolProperty("ro.adb.secure", false);

    }

#endif