Loading cmds/dumpstate/DumpstateInternal.cpp +29 −7 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ #include "DumpstateInternal.h" #include <grp.h> #include <pwd.h> #include <stdint.h> #include <stdio.h> #include <string.h> Loading @@ -33,7 +35,6 @@ #include <android-base/file.h> #include <log/log.h> #include <private/android_filesystem_config.h> uint64_t Nanotime() { timespec ts; Loading @@ -43,7 +44,17 @@ uint64_t Nanotime() { // Switches to non-root user and group. bool DropRootUser() { if (getgid() == AID_SHELL && getuid() == AID_SHELL) { struct group* grp = getgrnam("shell"); gid_t shell_gid = grp != nullptr ? grp->gr_gid : 0; struct passwd* pwd = getpwnam("shell"); uid_t shell_uid = pwd != nullptr ? pwd->pw_uid : 0; if (!shell_gid || !shell_uid) { MYLOGE("Unable to get AID_SHELL: %s\n", strerror(errno)); return false; } if (getgid() == shell_gid && getuid() == shell_uid) { MYLOGD("drop_root_user(): already running as Shell\n"); return true; } Loading @@ -53,17 +64,28 @@ bool DropRootUser() { return false; } gid_t groups[] = {AID_LOG, AID_SDCARD_R, AID_SDCARD_RW, AID_MOUNT, AID_INET, AID_NET_BW_STATS, AID_READPROC, AID_BLUETOOTH}; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) { static const std::vector<std::string> group_names{ "log", "sdcard_r", "sdcard_rw", "mount", "inet", "net_bw_stats", "readproc", "bluetooth"}; std::vector<gid_t> groups(group_names.size(), 0); for (size_t i = 0; i < group_names.size(); ++i) { grp = getgrnam(group_names[i].c_str()); groups[i] = grp != nullptr ? grp->gr_gid : 0; if (groups[i] == 0) { MYLOGE("Unable to get required gid '%s': %s\n", group_names[i].c_str(), strerror(errno)); return false; } } if (setgroups(groups.size(), groups.data()) != 0) { MYLOGE("Unable to setgroups, aborting: %s\n", strerror(errno)); return false; } if (setgid(AID_SHELL) != 0) { if (setgid(shell_gid) != 0) { MYLOGE("Unable to setgid, aborting: %s\n", strerror(errno)); return false; } if (setuid(AID_SHELL) != 0) { if (setuid(shell_uid) != 0) { MYLOGE("Unable to setuid, aborting: %s\n", strerror(errno)); return false; } Loading libs/gui/BufferQueueConsumer.cpp +12 −4 Original line number Diff line number Diff line Loading @@ -15,6 +15,8 @@ */ #include <inttypes.h> #include <pwd.h> #include <sys/types.h> #define LOG_TAG "BufferQueueConsumer" #define ATRACE_TAG ATRACE_TAG_GRAPHICS Loading @@ -34,7 +36,6 @@ #include <binder/IPCThreadState.h> #include <binder/PermissionCache.h> #include <private/android_filesystem_config.h> #include <system/window.h> Loading Loading @@ -747,12 +748,19 @@ status_t BufferQueueConsumer::discardFreeBuffers() { } status_t BufferQueueConsumer::dumpState(const String8& prefix, String8* outResult) const { struct passwd* pwd = getpwnam("shell"); uid_t shellUid = pwd ? pwd->pw_uid : 0; if (!shellUid) { int savedErrno = errno; BQ_LOGE("Cannot get AID_SHELL"); return savedErrno ? -savedErrno : UNKNOWN_ERROR; } const IPCThreadState* ipc = IPCThreadState::self(); const pid_t pid = ipc->getCallingPid(); const uid_t uid = ipc->getCallingUid(); if ((uid != AID_SHELL) && !PermissionCache::checkPermission(String16( "android.permission.DUMP"), pid, uid)) { if ((uid != shellUid) && !PermissionCache::checkPermission(String16("android.permission.DUMP"), pid, uid)) { outResult->appendFormat("Permission Denial: can't dump BufferQueueConsumer " "from pid=%d, uid=%d\n", pid, uid); android_errorWriteWithInfoLog(0x534e4554, "27046057", Loading Loading
cmds/dumpstate/DumpstateInternal.cpp +29 −7 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ #include "DumpstateInternal.h" #include <grp.h> #include <pwd.h> #include <stdint.h> #include <stdio.h> #include <string.h> Loading @@ -33,7 +35,6 @@ #include <android-base/file.h> #include <log/log.h> #include <private/android_filesystem_config.h> uint64_t Nanotime() { timespec ts; Loading @@ -43,7 +44,17 @@ uint64_t Nanotime() { // Switches to non-root user and group. bool DropRootUser() { if (getgid() == AID_SHELL && getuid() == AID_SHELL) { struct group* grp = getgrnam("shell"); gid_t shell_gid = grp != nullptr ? grp->gr_gid : 0; struct passwd* pwd = getpwnam("shell"); uid_t shell_uid = pwd != nullptr ? pwd->pw_uid : 0; if (!shell_gid || !shell_uid) { MYLOGE("Unable to get AID_SHELL: %s\n", strerror(errno)); return false; } if (getgid() == shell_gid && getuid() == shell_uid) { MYLOGD("drop_root_user(): already running as Shell\n"); return true; } Loading @@ -53,17 +64,28 @@ bool DropRootUser() { return false; } gid_t groups[] = {AID_LOG, AID_SDCARD_R, AID_SDCARD_RW, AID_MOUNT, AID_INET, AID_NET_BW_STATS, AID_READPROC, AID_BLUETOOTH}; if (setgroups(sizeof(groups) / sizeof(groups[0]), groups) != 0) { static const std::vector<std::string> group_names{ "log", "sdcard_r", "sdcard_rw", "mount", "inet", "net_bw_stats", "readproc", "bluetooth"}; std::vector<gid_t> groups(group_names.size(), 0); for (size_t i = 0; i < group_names.size(); ++i) { grp = getgrnam(group_names[i].c_str()); groups[i] = grp != nullptr ? grp->gr_gid : 0; if (groups[i] == 0) { MYLOGE("Unable to get required gid '%s': %s\n", group_names[i].c_str(), strerror(errno)); return false; } } if (setgroups(groups.size(), groups.data()) != 0) { MYLOGE("Unable to setgroups, aborting: %s\n", strerror(errno)); return false; } if (setgid(AID_SHELL) != 0) { if (setgid(shell_gid) != 0) { MYLOGE("Unable to setgid, aborting: %s\n", strerror(errno)); return false; } if (setuid(AID_SHELL) != 0) { if (setuid(shell_uid) != 0) { MYLOGE("Unable to setuid, aborting: %s\n", strerror(errno)); return false; } Loading
libs/gui/BufferQueueConsumer.cpp +12 −4 Original line number Diff line number Diff line Loading @@ -15,6 +15,8 @@ */ #include <inttypes.h> #include <pwd.h> #include <sys/types.h> #define LOG_TAG "BufferQueueConsumer" #define ATRACE_TAG ATRACE_TAG_GRAPHICS Loading @@ -34,7 +36,6 @@ #include <binder/IPCThreadState.h> #include <binder/PermissionCache.h> #include <private/android_filesystem_config.h> #include <system/window.h> Loading Loading @@ -747,12 +748,19 @@ status_t BufferQueueConsumer::discardFreeBuffers() { } status_t BufferQueueConsumer::dumpState(const String8& prefix, String8* outResult) const { struct passwd* pwd = getpwnam("shell"); uid_t shellUid = pwd ? pwd->pw_uid : 0; if (!shellUid) { int savedErrno = errno; BQ_LOGE("Cannot get AID_SHELL"); return savedErrno ? -savedErrno : UNKNOWN_ERROR; } const IPCThreadState* ipc = IPCThreadState::self(); const pid_t pid = ipc->getCallingPid(); const uid_t uid = ipc->getCallingUid(); if ((uid != AID_SHELL) && !PermissionCache::checkPermission(String16( "android.permission.DUMP"), pid, uid)) { if ((uid != shellUid) && !PermissionCache::checkPermission(String16("android.permission.DUMP"), pid, uid)) { outResult->appendFormat("Permission Denial: can't dump BufferQueueConsumer " "from pid=%d, uid=%d\n", pid, uid); android_errorWriteWithInfoLog(0x534e4554, "27046057", Loading
