We still don't really have a clue what went wrong, but "Failed to write"
made it sound like we did.
Change-Id: Ic58b13202e2d8ea6b095f7046db9d0771d77ce65
By using Minijail we avoid writing the same priv-dropping code over
and over again. This also enables future hardening opportunities.
We're already using Minijail for priv-dropping on Brillo.
Minijail is unit- and integration-tested on the
Chrome OS CI infrastructure (pulling from the same repo, see
https://wmatrix.googleplex.com/security?tests=security_Minijail0).
Once CI comes to Android, it will be continuously tested there as well.
Both 'adb root' and 'adb unroot' still work.
Bug: 26099611
Change-Id: I52c456ea272d27bd6fbc71200f4fdd928a592158
The current implementation of the host commands "adb wait-for-*" allows
to specify only the transport layer (local, usb or any).
This patch allows the specification of the expected device state
(bootloader, recovery, device or sideload), this is usefull for
scripting purposes.
Use case:
$ adb reboot sideload-auto-reboot
$ adb wait-for-usb-sideload && adb sideload package.zip
Change-Id: I276a6be4d82f8b7901f74e1e5395b86d16548e8f
Signed-off-by: Leo Sartre <leox.sartre@intel.com>
Reads from functionfs allocate contiguous buffers in the kernel, causing
long ones to sometimes fail because of memory fragmentation.
Bug: http://b/26206622
Change-Id: Id40753d6f29b37b5ca97c3e2fa3921f52b4242de
Back in 080427e4e2, we said:
If the kernel doesn't support file capabilities, we ignore
a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could
become a fatal error.
Make it a fatal error. With SELinux support, all devices are
required to support file capabilities.
Change-Id: I0ce0c4cb9387c42e325cbf1a63c5d82e6aab530c
Previously, for `adb shell`, we were using setenv after forking to set
up the child's environment. This would occasionally deadlock in the
child, which would cause the main thread to deadlock waiting for the
child to complete. This patch constructs the environment before forking
and passes it to execle, eliminating the deadlock.
Bug: http://b/25847115
Change-Id: I720d472770564b1449819ddaab945a89844244a8
Shell scripts of the following form do not work properly with adb:
echo "foo\nbar\nbaz" | {
read FOO
while [ "$FOO" != "" ]; do
adb shell echo $FOO
read FOO
done
}
The first run of adb shell will consume all of the contents of stdin,
causing the loop to immediately end. ssh solves this by providing a -n
flag that causes it to not read from stdin. This commit adds the same.
Bug: http://b/25817224
Change-Id: Id74ca62ef520bcf03678b50f4bf203916fd81038
During early boot, we may be mounting and unmounting /data.
Having the home directory for adb shell commands, such as
"adb shell logcat", on the /data directory prevents unmounting.
This reverts commit 173eb396c7.
Bug: 26132185
Change-Id: Ib7c2f9e696f52bf5bbb79223d90dd76791779587
We had mostly-working hacks before, but it's time to just modify LinePrinter
to suit our needs. If we tell LinePrinter what kind of output we're giving
it, it can manage things automatically.
This fixes the minor bug where we'd sometimes have a blank line after an
error message.
Change-Id: I07ff52437f2402de311e237dd1b2dd338d9b668a
Make the home directory for adb shell be /data/local/tmp and
automatically change into that directory.
Change-Id: Ib5cc6e1ecdd31a37e986cf03836f7589ebd40868
Also, inline the bulk_read and bulk_write functions which were only
being used by one other function.
Bug: http://b/25847115
Change-Id: I218a869030219f606577a5529601c542488115e0
The current permission messages can be confusing for users who don't
know about udev and USB access permissions. This CL adds some checks to
try to identify common udev problems, and adds a link to online
documentation.
Example messages:
1) adb server is in plugdev group but access is still denied:
$ adb devices
List of devices attached
082f59270073e1e3 no permissions (verify udev rules); see [developer.android.com/tools/device.html]
2) plugdev group exists but adb server is not in it:
$ adb shell
error: USB permission failure: udev requires plugdev group membership.
See [developer.android.com/tools/device.html] for more information.
3) plugdev group does not exist:
$ adb shell
error: USB permission failure.
See [developer.android.com/tools/device.html] for more information.
Bug: http://b/25777880
Change-Id: I536565adc12ab657c75151309795674181205db0
If we stat a file and get a size of 0, and then successfully read bytes
from that file, we would previously divide by zero when calculating the
percentage completion of the file. This case happens either when we're
racing against something else writing to the file, or when we're pulling
magical files such as the ones in /dev/cpuctl/ that lie about their
size.
Bug: http://b/25925733
Change-Id: I980b9c14f44a1eb4a42bc8736c94fa6db06c08d1
The previous change to do this (f96dc73b) only skipped individually
named symlinks, not symlinks inside of a directory that was being
pulled.
Bug: http://b/25601283
Change-Id: I25bdcbc546a9d3a0dbd8dacdb065fb134d96022b
This patch ensures that we read any error response from the server if the
server closes the connection. Unfortunately, that's not sufficient to ensure
that we always see the server's error message --- sometimes the data just
gets thrown away because we keep writing without reading. Setting SO_LINGER
avoids this.
Bug: http://b/25230872
Change-Id: I96c019cc72bd139198de79bf29e6536cc462c20f
We're now able to send packets faster than the device can handle them,
meaning that sometimes we're several packets through before the device
says "hey, wait, I can't write" and closes the connection. At best this
led to us reporting that we couldn't sync because "Connection reset";
at worst we'd get SIGPIPE because we were still streaming to a connection
that had already been closed.
This change renames adb_main adb_server_main, and moves the ignoring of
SIGPIPE into adb_commandline so it applies to both client and server (but
not adbd).
This change doesn't address the "wrong error message" part of the problem,
but at least it means you'll get *an* error message.
Bug: http://b/25230872
Change-Id: Ic60e4d13ed03fdcdf0d5cbc97201ebd1097c16ed
I put the conditional in the wrong place, not realizing that even the
old shell system allowed one 'argument'.
Bug: http://b/25765657
Change-Id: I2752fb838d6377bf24e5b4cf959462557a196c87
adb_dirname might trample over the errno value we want to print. Move
the adb_dirname call out to a local to prevent this.
Change-Id: I8a62cb2e1be8704225a9c3b72dd01259c7eaaae4
Unfortunately, this isn't backwards-compatible with the current shell
protocol because we made unknown shell: arguments errors. We could try
to commit the change to make them just warnings first, but how would
we know when everyone was running adbd with that change? Bumping the
protocol version doesn't help because that only affects the code running
on the host. And although we could add another feature to the reported
features, since shell_v2 is still in development, that doesn't seem
worthwhile.
Bug: http://b/25601436
Change-Id: I12b81aa656cd25b91d14ef691dcbd2b7dab49535
Pulling symlinks was broken for directories, and it doesn't seem like
there's a good way to make it not broken, given that the protocol doesn't
have readlink (and we don't want to create symlinks on Windows, anyway).
The behavior for files doesn't seem to be especially useful, either.
Bug: http://b/25601283
Change-Id: Ie1d27e93dd09cbc0c178623b390041d1cb11f726
Cleanup TODO and instead of (poorly) converting the device name from
wchar_t to char, just retrieve and store it as wchar_t, simplifying the
code.
This probably isn't necessary since device names are probably always
ASCII, but this cleans things up.
Change-Id: Ib780dcdc1e0e06b97b61e25d29a23874b35d7800
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Now that we have a more standardized API (also available in Chromium),
switch to it. Another benefit is real error handling instead of just
killing the process on invalid Unicode.
Make UTF8ToWide()/WideToUTF8() set errno to EILSEQ on bad input. This is
the same error code that wcsrtombs(3) uses.
Update the unittest to check for EILSEQ.
Change-Id: Ie92acf74d37adaea116cf610c1bf8cd433741e16
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
On exit, these destructors get invoked while other threads might
still be using them, potentially causing a crash, and definitely
causing tsan to report a race condition.
Bug: http://b/23384853
Change-Id: I94de55d22f97f4edd1d7cc1f34e8c1f8dfd56a5a
This reverts commit cc8cd59456.
With the dependency on libcutils (for gettid for non-bionic) removed,
this no longer breaks the build.
Change-Id: I645bd6876e2502ddc1535b69af1e645c0df9d178
28416d6d33 broke adb shell on Windows
because it was calling unix_read() with a buffer size of 1 byte which
wasn't supported by unix_read()/_console_read().
This change makes _console_read() support such a small buffer by
maintaining an internal input buffer.
This lets us simplify the existing code that was already maintaining a
cached INPUT_RECORD.
Also eliminate some duplicate code in the big switch statement.
Change-Id: I8f0aed4fb9f6f2f5b9a6b68ce60d2e368fec81c7
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Previously, `adb pull /data/local/tmp` would spew all of the contents of
/data/local/tmp into the current directory. This patch makes push/pull
keep directories intact.
Bug: http://b/25394682
Change-Id: I2304ae9e61745a2b9536f58a6012640bf8ff422a
This commit fixes two cases:
`adb pull /data/local/tmp nonexistent/path` would succeed.
`adb pull /data/local/tmp nonexistent/` would fail.
Change-Id: I60c39eb2816946686241af42cfa2ad5cdc63fb0e
ae5a6c06cd made adb push use
android::base::ReadFileToString() for small files, but that API did not
support UTF-8 filenames on Windows, until this fix which does the
following:
- Add android::base::{WideToUTF8,UTF8ToWide}() which are only available
on Windows. The signatures are based on Chromium's APIs of the same
name.
- Add the namespace android::base::utf8 which has versions of APIs that
take UTF-8 strings. To use this, make sure your code is in a namespace
and then do "using namespace android::base::utf8;". On Windows, this will
make calls to open() call android::base::utf8::open(), and on other
platforms, it will just call the regular ::open().
- Make ReadFileToString() and WriteStringToFile() use utf8::open() and
utf8::unlink().
- Adapt unittests from Chromium.
- fastboot needs to link with libcutils because it links with libbase
which depends on libcutils for gettid() for logging.
Change-Id: I1aeac40ff358331d7a1ff457ce894bfb17863904
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Start of input is, by definition, the start of a line. Give the states
names to make the error clearer. We should also swallow the escape
character until/unless it's proven not to have been part of an escape
sequence. Finally, implement an ssh(1)-like -e option so the user can
choose -- or, more importantly, disable -- escape character handling.
Change-Id: I28a91db47e15f3e7de96303c0b9a98d302b9c92e
I've been using these changes to compile with Visual Studio.
- GetFileBasename(): __FILE__ uses \ with Visual Studio.
- adb_trace.cpp: Apparently VS needs an ampersand before the function name.
- "expr1 ? : expr2" is a GCC extension.
- <algorithm> contains std::min().
- seekdir can't always be #define'd because some headers have members
named seekdir.
- adb_utils.cpp: Not really a compiler issue, just a random fix:
0x7F/DEL is not printable.
Change-Id: I0dfb634f1ba4ccbc0d1b9f71b00e838fbebb3b41
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
Instead of using the pm command, 'adb install' and 'adb uninstall' will now
use the cmd command. Additionally, the APK will be streamed directly to
package installer instead of creating a temporary file.
(cherry-pick of d039800a4e008b52c532f901e3bb34b40877cf30.)
Change-Id: Ie7529afa5b039d29cc8183f36085ff4e66b3457a
Pushing empty directories is more troublesome, and probably either
requires changes to the server, or hacky `adb shell mkdir` stuff.
Bug: http://b/25395071
Change-Id: I4db6a993429a56e5c5ca994752418503b6f5d7c4
Instead of using the pm command, 'adb install' and 'adb uninstall' will now
use the cmd command. Additionally, the APK will be streamed directly to
package installer instead of creating a temporary file.
Change-Id: Ie7529afa5b039d29cc8183f36085ff4e66b3457a
local_build_list previously was returning an int, 0 on success and -1 on
failure, while remote_build_list was returning a bool, true on success
and false on failure.
Change-Id: Iced6c4142e2f843048d81c4e133d6b6dc75a35dd
Previously, mkdirs/secure_mkdirs wouldn't create a directory at the
specified path, only the ones above it.
Bug: http://b/25459942
Change-Id: I70c94c4b44d90723cb4a063657fc40e5bcb3b10e
Previously, adb_basename was behaving according to the GNU, POSIX-incompatible
basename, despite POSIX adb_dirname existing alongside it. This patch changes
adb_basename to pass through to the POSIX basename.
Bug: http://b/25456821
Change-Id: I62a4865cccf3b9cdbc112e3e53ff475aa4a23bd9
The Mac doesn't have <termio.h>, and it looks like the canonical place for
struct winsize is <sys/ioctl.h> anyway.
system/core/adb/commandline.cpp:44:10: fatal error: 'termio.h' file not found
#include <termio.h>
Bug: http://b/19734542
Change-Id: I3bfbf58cdb9b582f3b7e2c9ef0977613001cd3ac
Allow adb to build using gcc by explicitly using global scope for the
type for pollfd. An alternative would be to rename the pollfd field to
different, but I did not have a better name in mind.
Change-Id: I7925df1dca7e1acc5a289256f228e5fc3755e86e
Our Windows code has several different ways it checks whether an FD is
a console or not, some of which aren't exactly correct as they may
treat character devices (e.g. NUL) as consoles.
This CL disallows using the builtin isatty() function and provides
unix_isatty() instead which correctly checks these corner cases.
Change-Id: I6d551c745dae691c7eb3446b585265d62c1e62fa
Previously we've set these from /system/etc/mkshrc, which caused a behavioral
difference between interactive and non-interactive shells.
Bug: http://b/19635681
Change-Id: I4608c42dd3de821046220fdb1770ab3216b5d5eb
reverse_service() calls handle_forward_request(), which calls
functions in fdevent.cpp. fdevent functions is only supposed
to be called in the main thread.
Add check in fdevent.cpp to make sure all operations come from
main thread.
Bug: 25355808
Change-Id: Iceb9273f3056acc0713eaafe086ac950ca80ff4f
Background
==========
On Windows, if you run "adb shell exit" in a loop in two windows,
eventually the adb client will be unable to connect to the adb server. I
think connect() is returning WSAEADDRINUSE: "Only one usage of each
socket address (protocol/network address/port) is normally permitted.
(10048)". The Windows System Event Log may also show Event 4227, Tcpip.
Netstat output is filled with:
# for the adb server
TCP 127.0.0.1:5037 127.0.0.1:65523 TIME_WAIT
# for the adb client
TCP 127.0.0.1:65523 127.0.0.1:5037 TIME_WAIT
The error probably means that the client is running out of free
address:port pairs.
The first netstat line is unavoidable, but the second line exists
because the adb client is not waiting for orderly/graceful shutdown of
the socket, and that is apparently required on Windows to get rid of the
second line. For more info, see
https://github.com/CompareAndSwap/SocketCloseTest .
This is exacerbated by the fact that "adb shell exit" makes 4 socket
connections to the adb server: 1) host:version, 2) host:features, 3)
host:version (again), 4) shell:exit. Also exacerbating is the fact that
the adb protocol is length-prefixed so the client typically does not
have to 'read() until zero' which effectively waits for orderly/graceful
shutdown.
The Fix
=======
Introduce a function, ReadOrderlyShutdown(), that should be called in
the adb client to wait for the server to close its socket, before
closing the client socket.
I reviewed all code where the adb client makes a connection to the adb
server and added ReadOrderlyShutdown() when it made sense. I wasn't able
to add it to the following:
* interactive_shell: this doesn't matter because this is interactive and
thus can't be run fast enough to use up ports.
* adb sideload: I couldn't get enough test coverage and I don't think
this is being called frequently enough to be a problem.
* send_shell_command, backup, adb_connect_command, adb shell, adb
exec-out, install_multiple_app, adb_send_emulator_command: These
already wait for server socket shutdown since they already call
recv() until zero.
* restore, adb exec-in: protocol design can't have the server close
first.
* adb start-server: no fd is actually returned
* create_local_service_socket, local_connect_arbitrary_ports,
connect_device: probably called rarely enough not to be a problem.
Also in this change
===================
* Clarify comments in when adb_shutdown() is called before exit().
* add some missing adb_close() in adb sideload.
* Fixup error handling and comments in adb_send_emulator_command().
* Make SyncConnection::SendQuit return a success boolean.
* Add unittest for adb emu kill command. This gets code coverage over
this very careful piece of code.
Change-Id: Iad0b1336f5b74186af2cd35f7ea827d0fa77a17c
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
This makes no measurable difference to the sync time; "adb sync" of
everything on /system for a Nexus 9 still takes 20s.
Change-Id: Ifa2626f7453937e43856b9c4ee06e1f5db0aa273
ssh has slightly more sophisticated -Tt options that we want to match.
This CL changes -Tt behavior to match ssh so that we allocate a remote
PTY in these cases:
-T: never.
: if stdin is a terminal and user wants an interactive shell.
-t: if stdin is a terminal (otherwise print a warning message).
-t -t: always.
Now this will work as expected:
$ adb shell < my_script.sh
Also corrects a small unrelated bug with escape sequences so that only
a single tilde is accepted for the disconnect sequence.
Bug: http://b/24565284
Change-Id: Idab57ac98d81233b45c2613fe64ceb4398add961
I fixed the server side to send detailed error reports, but the client-side
code for pull was broken because it had already read the "FAIL" header before
calling the general error reporting code that expects to be able to read
the header. This meant we'd always report that we failed to read the failure
message.
Also add a couple of missing "\n"s, make sure every error message is prefixed
by "adb: ", and remove a useless path length check that would silently ignore
over-long paths rather than relying on SendRequest to detect and report the
problem.
Bug: http://b/6205106
Change-Id: I23862ececf03b761115ffa3f7725b7e1cecb48c7
SIGTTIN gets sent to the process when we attempt to read from
stdin when we're in the background, which stops the process by
default. Mask the signal so that the read returns -1 with errno
set to EIO, instead.
Change-Id: I4ae626b0670c05a1a05165539b9eed709e83d536
Now that libselinux uses libpackagelistparser, in order
for libpackagelistparser to be properly statically linked
liblog must come after libselinux for all the liblog
references to be defined in libpackagelistparser which
is included in libselinux. This patch corrects that order.
Change-Id: I7aee10c9395310919779ed2463aab6b2f8b380cc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Use libfec to locate verity metadata and disable verity.
Needs changes from
I02f83b0d1d4e7ef5cd5d13a37ff0b84f17e23376
Bug: 21893453
Change-Id: Ib43c352400a368664c949c7b8c9961829adf48f4
Improved mapping of Winsock error codes to POSIX error codes, especially
WSAECONNABORTED to EPIPE (which WriteFdExactly() looks for) when sending
to a closed socket and WSAECONNRESET to ECONNRESET when the peer resets
the connection.
Use a macro to map strerror() to adb_strerror() which handles these
POSIX error codes that the Windows C Runtime doesn't recognize.
Also:
* Unittest for adb_strerror().
* Don't trace when send() returns WSAEWOULDBLOCK because that is
expected.
Change-Id: If46aeb7b36de3eebfbbccf5478ff5b1bb087714b
Signed-off-by: Spencer Low <CompareAndSwap@gmail.com>
Non-interactive `adb shell` previously only read from the remote shell,
but we want it to write as well so interactive and non-interactive
shells can both send data. With this CL, we can now do:
$ echo foo | adb shell cat
foo
This is primarily usable with newer devices that support the shell_v2
features. Older devices will receive stdin but the shell will still
hang after all input has been sent, requiring user Ctrl+C. This seems
better than closing communication altogether which could potentially
miss an unpredictable amount of return data by closing too early.
Known issue: non-interactive stdin to a PTY shell isn't reliable.
However I don't think this is a common case as ssh doesn't seem to
handle it properly either. Examples:
* echo 'echo foo' | adb shell
* echo 'foo' | adb shell -t cat
Bug: http://b/24565284
Change-Id: I5b017fd12d8478765bb6e8400ea76d535c24ce42