1. Calculate AID for spawned process as (100000 * $user) + uid_from_packages.list
2. Use /data/user/$user/$packageDir as a root of a new process if $user != 0.
Change-Id: I761dfb481114bd51e5a950307fcaf403e96eef10
(cherry picked from commit da31778f3b)
package.c gets string.h inherited from
private/android_filesystem_config.h it should
not rely on this in the future. The intent is
to move fs_config function into libcutils and
thus deprecate any need for string.h in this
include file.
Bug: 19908228
Change-Id: I5db6d0a88c5b1eb9f582284e9bdd220c096ea69a
The group ownership of the package database
/data/system/packages.list read by run-as was changed in
977a9f3b1a from "system" to
"package_info". run-as currently changes its effective group to
"system" and is thus unable to read the database.
This CL fixes the issue by making run-as change its effective group
to "package_info" for reading the package database.
Bug: 10411916
Change-Id: Id23059bfb5b43264824917873a31c287f057ce4e
The legacy internal layout places users at the top-level of the
filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested.
Mirror single OBB directory between all users without requiring fancy
bind mounts by letting a nodes graft in another part of the
underlying tree.
Move to everything having "sdcard_r" GID by default, and verify that
calling apps hold "sdcard_rw" when performing mutations. Determines
app group membership from new packages.list column.
Flag to optionally enable sdcard_pics/sdcard_av permissions
splitting. Flag to supply a default GID for all files. Ignore
attempts to access security sensitive files. Fix run-as to check for
new "package_info" GID.
Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
Change allows the proper seinfo value to be passed
to libselinux to switch to the proper app security
context before running the shell.
Change-Id: I9d7ea47c920b1bc09a19008345ed7fd0aa426e87
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
run-as: don't require CAP_DAC_OVERRIDE.
Prevent an adb spawned application from acquiring capabilities
other than
* CAP_NET_RAW
* CAP_SETUID
* CAP_SETGID
The only privileged programs accessible on user builds are
* /system/bin/ping
* /system/bin/run-as
and the capabilities above are sufficient to cover those
two programs.
If the kernel doesn't support file capabilities, we ignore
a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could
become a fatal error.
Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a
This patch uses mmap() to read /data/system/packages.list
This avoids depending on the size of a fixed static buffer
which may happen to be too short for systems with a lot of
packages installed.
Also avoids calling malloc() which we don't want to trust here
since run-as is a setuid program.
Change-Id: I1d640a08b5d73af2fc80546b01c8d970c7f6b514
This patch increases the size of the internal buffer used by run-as
to store the content of /data/system/packages.list from 8KB to 64KB.
It has been reported that, on some systems, 8KB was too small. This
resulted in a truncated file being loaded, and the inability to debug
native applications properly (either because the application was not
found in the list, or because the tool reported a 'corrupted
installation' due to BAD_FORMAT issues when parsing the truncated
file).
See http://code.google.com/p/android/issues/detail?id=16391
Change-Id: I0c35a61b163c4abc6f1a2681adc0ef0d76493171
Typical usage is 'run-as <package-name> <command>' to run <command>
in the data directory, and the user id, of <package-name> if, and only
if <package-name> is the name of an installed and debuggable application.
This relies on the /data/system/packages.list file generated by the
PackageManager service.
BEWARE: This is intended to be available on production devices !