083b037c07
- Largish commit, buffer and access controls done together - Add LOG_ID_SECURITY binary content log - Add "default" meta buffer - allow LOG_ID_SECURITY only from AID_SYSTEM and AID_ROOT UID & GID - Use __android_log_security() to gate logging - Add __android_log_security_bwrite() native access to security logging. - Add liblog.__security_buffer end-to-end gTest Bug: 26029733 Change-Id: Ibcf5b4660c17c1aa6902c0d93f8ffd29c93d9a93
150 lines
5 KiB
C++
150 lines
5 KiB
C++
/*
|
|
* Copyright (C) 2012-2014 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <errno.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include <private/android_filesystem_config.h>
|
|
|
|
#include "LogCommand.h"
|
|
#include "LogUtils.h"
|
|
|
|
LogCommand::LogCommand(const char *cmd) : FrameworkCommand(cmd) {
|
|
}
|
|
|
|
// gets a list of supplementary group IDs associated with
|
|
// the socket peer. This is implemented by opening
|
|
// /proc/PID/status and look for the "Group:" line.
|
|
//
|
|
// This function introduces races especially since status
|
|
// can change 'shape' while reading, the net result is err
|
|
// on lack of permission.
|
|
//
|
|
// Race-free alternative is to introduce pairs of sockets
|
|
// and threads for each command and reading, one each that
|
|
// has open permissions, and one that has restricted
|
|
// permissions.
|
|
|
|
static bool groupIsLog(char *buf) {
|
|
char *ptr;
|
|
static const char ws[] = " \n";
|
|
|
|
for (buf = strtok_r(buf, ws, &ptr); buf; buf = strtok_r(NULL, ws, &ptr)) {
|
|
errno = 0;
|
|
gid_t Gid = strtol(buf, NULL, 10);
|
|
if (errno != 0) {
|
|
return false;
|
|
}
|
|
if (Gid == AID_LOG) {
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
bool clientHasLogCredentials(uid_t uid, gid_t gid, pid_t pid) {
|
|
if ((uid == AID_ROOT) || (uid == AID_SYSTEM) || (uid == AID_LOG)) {
|
|
return true;
|
|
}
|
|
|
|
if ((gid == AID_ROOT) || (gid == AID_SYSTEM) || (gid == AID_LOG)) {
|
|
return true;
|
|
}
|
|
|
|
// FYI We will typically be here for 'adb logcat'
|
|
char filename[256];
|
|
snprintf(filename, sizeof(filename), "/proc/%u/status", pid);
|
|
|
|
bool ret;
|
|
bool foundLog = false;
|
|
bool foundGid = false;
|
|
bool foundUid = false;
|
|
|
|
//
|
|
// Reading /proc/<pid>/status is rife with race conditions. All of /proc
|
|
// suffers from this and its use should be minimized. However, we have no
|
|
// choice.
|
|
//
|
|
// Notably the content from one 4KB page to the next 4KB page can be from a
|
|
// change in shape even if we are gracious enough to attempt to read
|
|
// atomically. getline can not even guarantee a page read is not split up
|
|
// and in effect can read from different vintages of the content.
|
|
//
|
|
// We are finding out in the field that a 'logcat -c' via adb occasionally
|
|
// is returned with permission denied when we did only one pass and thus
|
|
// breaking scripts. For security we still err on denying access if in
|
|
// doubt, but we expect the falses should be reduced significantly as
|
|
// three times is a charm.
|
|
//
|
|
for (int retry = 3;
|
|
!(ret = foundGid && foundUid && foundLog) && retry;
|
|
--retry) {
|
|
FILE *file = fopen(filename, "r");
|
|
if (!file) {
|
|
continue;
|
|
}
|
|
|
|
char *line = NULL;
|
|
size_t len = 0;
|
|
while (getline(&line, &len, file) > 0) {
|
|
static const char groups_string[] = "Groups:\t";
|
|
static const char uid_string[] = "Uid:\t";
|
|
static const char gid_string[] = "Gid:\t";
|
|
|
|
if (strncmp(groups_string, line, sizeof(groups_string) - 1) == 0) {
|
|
if (groupIsLog(line + sizeof(groups_string) - 1)) {
|
|
foundLog = true;
|
|
}
|
|
} else if (strncmp(uid_string, line, sizeof(uid_string) - 1) == 0) {
|
|
uid_t u[4] = { (uid_t) -1, (uid_t) -1, (uid_t) -1, (uid_t) -1};
|
|
|
|
sscanf(line + sizeof(uid_string) - 1, "%u\t%u\t%u\t%u",
|
|
&u[0], &u[1], &u[2], &u[3]);
|
|
|
|
// Protect against PID reuse by checking that UID is the same
|
|
if ((uid == u[0])
|
|
&& (uid == u[1])
|
|
&& (uid == u[2])
|
|
&& (uid == u[3])) {
|
|
foundUid = true;
|
|
}
|
|
} else if (strncmp(gid_string, line, sizeof(gid_string) - 1) == 0) {
|
|
gid_t g[4] = { (gid_t) -1, (gid_t) -1, (gid_t) -1, (gid_t) -1};
|
|
|
|
sscanf(line + sizeof(gid_string) - 1, "%u\t%u\t%u\t%u",
|
|
&g[0], &g[1], &g[2], &g[3]);
|
|
|
|
// Protect against PID reuse by checking that GID is the same
|
|
if ((gid == g[0])
|
|
&& (gid == g[1])
|
|
&& (gid == g[2])
|
|
&& (gid == g[3])) {
|
|
foundGid = true;
|
|
}
|
|
}
|
|
}
|
|
free(line);
|
|
fclose(file);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
bool clientHasLogCredentials(SocketClient *cli) {
|
|
return clientHasLogCredentials(cli->getUid(), cli->getGid(), cli->getPid());
|
|
}
|