57288ad825
This works around b/21028929. That old bug reappeared in nyc-dev because of file-based-encryption. Bug: 21028929 Change-Id: I4eb65ee3b57fb86605fa56fd1395a9666f6aef7f
560 lines
14 KiB
C
560 lines
14 KiB
C
/*
|
|
**
|
|
** Copyright 2010, The Android Open Source Project
|
|
**
|
|
** Licensed under the Apache License, Version 2.0 (the "License");
|
|
** you may not use this file except in compliance with the License.
|
|
** You may obtain a copy of the License at
|
|
**
|
|
** http://www.apache.org/licenses/LICENSE-2.0
|
|
**
|
|
** Unless required by applicable law or agreed to in writing, software
|
|
** distributed under the License is distributed on an "AS IS" BASIS,
|
|
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
** See the License for the specific language governing permissions and
|
|
** limitations under the License.
|
|
*/
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <sys/mman.h>
|
|
#include <sys/stat.h>
|
|
#include <unistd.h>
|
|
|
|
#include <private/android_filesystem_config.h>
|
|
#include "package.h"
|
|
|
|
/*
|
|
* WARNING WARNING WARNING WARNING
|
|
*
|
|
* The following code runs as root on production devices, before
|
|
* the run-as command has dropped the uid/gid. Hence be very
|
|
* conservative and keep in mind the following:
|
|
*
|
|
* - Performance does not matter here, clarity and safety of the code
|
|
* does however. Documentation is a must.
|
|
*
|
|
* - Avoid calling C library functions with complex implementations
|
|
* like malloc() and printf(). You want to depend on simple system
|
|
* calls instead, which behaviour is not going to be altered in
|
|
* unpredictible ways by environment variables or system properties.
|
|
*
|
|
* - Do not trust user input and/or the filesystem whenever possible.
|
|
*
|
|
*/
|
|
|
|
/* The file containing the list of installed packages on the system */
|
|
#define PACKAGES_LIST_FILE "/data/system/packages.list"
|
|
|
|
/* Copy 'srclen' string bytes from 'src' into buffer 'dst' of size 'dstlen'
|
|
* This function always zero-terminate the destination buffer unless
|
|
* 'dstlen' is 0, even in case of overflow.
|
|
* Returns a pointer into the src string, leaving off where the copy
|
|
* has stopped. The copy will stop when dstlen, srclen or a null
|
|
* character on src has been reached.
|
|
*/
|
|
static const char*
|
|
string_copy(char* dst, size_t dstlen, const char* src, size_t srclen)
|
|
{
|
|
const char* srcend = src + srclen;
|
|
const char* dstend = dst + dstlen;
|
|
|
|
if (dstlen == 0)
|
|
return src;
|
|
|
|
dstend--; /* make room for terminating zero */
|
|
|
|
while (dst < dstend && src < srcend && *src != '\0')
|
|
*dst++ = *src++;
|
|
|
|
*dst = '\0'; /* zero-terminate result */
|
|
return src;
|
|
}
|
|
|
|
/* Open 'filename' and map it into our address-space.
|
|
* Returns buffer address, or NULL on error
|
|
* On exit, *filesize will be set to the file's size, or 0 on error
|
|
*/
|
|
static void*
|
|
map_file(const char* filename, size_t* filesize)
|
|
{
|
|
int fd, ret, old_errno;
|
|
struct stat st;
|
|
size_t length = 0;
|
|
void* address = NULL;
|
|
gid_t oldegid;
|
|
|
|
*filesize = 0;
|
|
|
|
/*
|
|
* Temporarily switch effective GID to allow us to read
|
|
* the packages file
|
|
*/
|
|
|
|
oldegid = getegid();
|
|
if (setegid(AID_PACKAGE_INFO) < 0) {
|
|
return NULL;
|
|
}
|
|
|
|
/* open the file for reading */
|
|
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
|
|
if (fd < 0) {
|
|
return NULL;
|
|
}
|
|
|
|
/* restore back to our old egid */
|
|
if (setegid(oldegid) < 0) {
|
|
goto EXIT;
|
|
}
|
|
|
|
/* get its size */
|
|
ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
|
|
if (ret < 0)
|
|
goto EXIT;
|
|
|
|
/* Ensure that the file is owned by the system user */
|
|
if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) {
|
|
goto EXIT;
|
|
}
|
|
|
|
/* Ensure that the file has sane permissions */
|
|
if ((st.st_mode & S_IWOTH) != 0) {
|
|
goto EXIT;
|
|
}
|
|
|
|
/* Ensure that the size is not ridiculously large */
|
|
length = (size_t)st.st_size;
|
|
if ((off_t)length != st.st_size) {
|
|
errno = ENOMEM;
|
|
goto EXIT;
|
|
}
|
|
|
|
/* Memory-map the file now */
|
|
do {
|
|
address = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, 0);
|
|
} while (address == MAP_FAILED && errno == EINTR);
|
|
if (address == MAP_FAILED) {
|
|
address = NULL;
|
|
goto EXIT;
|
|
}
|
|
|
|
/* We're good, return size */
|
|
*filesize = length;
|
|
|
|
EXIT:
|
|
/* close the file, preserve old errno for better diagnostics */
|
|
old_errno = errno;
|
|
close(fd);
|
|
errno = old_errno;
|
|
|
|
return address;
|
|
}
|
|
|
|
/* unmap the file, but preserve errno */
|
|
static void
|
|
unmap_file(void* address, size_t size)
|
|
{
|
|
int old_errno = errno;
|
|
TEMP_FAILURE_RETRY(munmap(address, size));
|
|
errno = old_errno;
|
|
}
|
|
|
|
/* Check that a given directory:
|
|
* - exists
|
|
* - is owned by a given uid/gid
|
|
* - is a real directory, not a symlink
|
|
* - isn't readable or writable by others
|
|
*
|
|
* Return 0 on success, or -1 on error.
|
|
* errno is set to EINVAL in case of failed check.
|
|
*/
|
|
static int
|
|
check_directory_ownership(const char* path, uid_t uid)
|
|
{
|
|
int ret;
|
|
struct stat st;
|
|
|
|
do {
|
|
ret = lstat(path, &st);
|
|
} while (ret < 0 && errno == EINTR);
|
|
|
|
if (ret < 0)
|
|
return -1;
|
|
|
|
/* /data/user/0 is a known safe symlink */
|
|
if (strcmp("/data/user/0", path) == 0)
|
|
return 0;
|
|
|
|
/* must be a real directory, not a symlink */
|
|
if (!S_ISDIR(st.st_mode))
|
|
goto BAD;
|
|
|
|
/* must be owned by specific uid/gid */
|
|
if (st.st_uid != uid || st.st_gid != uid)
|
|
goto BAD;
|
|
|
|
/* must not be readable or writable by others */
|
|
if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0)
|
|
goto BAD;
|
|
|
|
/* everything ok */
|
|
return 0;
|
|
|
|
BAD:
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
/* This function is used to check the data directory path for safety.
|
|
* We check that every sub-directory is owned by the 'system' user
|
|
* and exists and is not a symlink. We also check that the full directory
|
|
* path is properly owned by the user ID.
|
|
*
|
|
* Return 0 on success, -1 on error.
|
|
*/
|
|
int
|
|
check_data_path(const char* dataPath, uid_t uid)
|
|
{
|
|
int nn;
|
|
|
|
/* the path should be absolute */
|
|
if (dataPath[0] != '/') {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
/* look for all sub-paths, we do that by finding
|
|
* directory separators in the input path and
|
|
* checking each sub-path independently
|
|
*/
|
|
for (nn = 1; dataPath[nn] != '\0'; nn++)
|
|
{
|
|
char subpath[PATH_MAX];
|
|
|
|
/* skip non-separator characters */
|
|
if (dataPath[nn] != '/')
|
|
continue;
|
|
|
|
/* handle trailing separator case */
|
|
if (dataPath[nn+1] == '\0') {
|
|
break;
|
|
}
|
|
|
|
/* found a separator, check that dataPath is not too long. */
|
|
if (nn >= (int)(sizeof subpath)) {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
/* reject any '..' subpath */
|
|
if (nn >= 3 &&
|
|
dataPath[nn-3] == '/' &&
|
|
dataPath[nn-2] == '.' &&
|
|
dataPath[nn-1] == '.') {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
/* copy to 'subpath', then check ownership */
|
|
memcpy(subpath, dataPath, nn);
|
|
subpath[nn] = '\0';
|
|
|
|
if (check_directory_ownership(subpath, AID_SYSTEM) < 0)
|
|
return -1;
|
|
}
|
|
|
|
/* All sub-paths were checked, now verify that the full data
|
|
* directory is owned by the application uid
|
|
*/
|
|
if (check_directory_ownership(dataPath, uid) < 0)
|
|
return -1;
|
|
|
|
/* all clear */
|
|
return 0;
|
|
}
|
|
|
|
/* Return TRUE iff a character is a space or tab */
|
|
static inline int
|
|
is_space(char c)
|
|
{
|
|
return (c == ' ' || c == '\t');
|
|
}
|
|
|
|
/* Skip any space or tab character from 'p' until 'end' is reached.
|
|
* Return new position.
|
|
*/
|
|
static const char*
|
|
skip_spaces(const char* p, const char* end)
|
|
{
|
|
while (p < end && is_space(*p))
|
|
p++;
|
|
|
|
return p;
|
|
}
|
|
|
|
/* Skip any non-space and non-tab character from 'p' until 'end'.
|
|
* Return new position.
|
|
*/
|
|
static const char*
|
|
skip_non_spaces(const char* p, const char* end)
|
|
{
|
|
while (p < end && !is_space(*p))
|
|
p++;
|
|
|
|
return p;
|
|
}
|
|
|
|
/* Find the first occurence of 'ch' between 'p' and 'end'
|
|
* Return its position, or 'end' if none is found.
|
|
*/
|
|
static const char*
|
|
find_first(const char* p, const char* end, char ch)
|
|
{
|
|
while (p < end && *p != ch)
|
|
p++;
|
|
|
|
return p;
|
|
}
|
|
|
|
/* Check that the non-space string starting at 'p' and eventually
|
|
* ending at 'end' equals 'name'. Return new position (after name)
|
|
* on success, or NULL on failure.
|
|
*
|
|
* This function fails is 'name' is NULL, empty or contains any space.
|
|
*/
|
|
static const char*
|
|
compare_name(const char* p, const char* end, const char* name)
|
|
{
|
|
/* 'name' must not be NULL or empty */
|
|
if (name == NULL || name[0] == '\0' || p == end)
|
|
return NULL;
|
|
|
|
/* compare characters to those in 'name', excluding spaces */
|
|
while (*name) {
|
|
/* note, we don't check for *p == '\0' since
|
|
* it will be caught in the next conditional.
|
|
*/
|
|
if (p >= end || is_space(*p))
|
|
goto BAD;
|
|
|
|
if (*p != *name)
|
|
goto BAD;
|
|
|
|
p++;
|
|
name++;
|
|
}
|
|
|
|
/* must be followed by end of line or space */
|
|
if (p < end && !is_space(*p))
|
|
goto BAD;
|
|
|
|
return p;
|
|
|
|
BAD:
|
|
return NULL;
|
|
}
|
|
|
|
/* Parse one or more whitespace characters starting from '*pp'
|
|
* until 'end' is reached. Updates '*pp' on exit.
|
|
*
|
|
* Return 0 on success, -1 on failure.
|
|
*/
|
|
static int
|
|
parse_spaces(const char** pp, const char* end)
|
|
{
|
|
const char* p = *pp;
|
|
|
|
if (p >= end || !is_space(*p)) {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
p = skip_spaces(p, end);
|
|
*pp = p;
|
|
return 0;
|
|
}
|
|
|
|
/* Parse a positive decimal number starting from '*pp' until 'end'
|
|
* is reached. Adjust '*pp' on exit. Return decimal value or -1
|
|
* in case of error.
|
|
*
|
|
* If the value is larger than INT_MAX, -1 will be returned,
|
|
* and errno set to EOVERFLOW.
|
|
*
|
|
* If '*pp' does not start with a decimal digit, -1 is returned
|
|
* and errno set to EINVAL.
|
|
*/
|
|
static int
|
|
parse_positive_decimal(const char** pp, const char* end)
|
|
{
|
|
const char* p = *pp;
|
|
int value = 0;
|
|
int overflow = 0;
|
|
|
|
if (p >= end || *p < '0' || *p > '9') {
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
|
|
while (p < end) {
|
|
int ch = *p;
|
|
unsigned d = (unsigned)(ch - '0');
|
|
int val2;
|
|
|
|
if (d >= 10U) /* d is unsigned, no lower bound check */
|
|
break;
|
|
|
|
val2 = value*10 + (int)d;
|
|
if (val2 < value)
|
|
overflow = 1;
|
|
value = val2;
|
|
p++;
|
|
}
|
|
*pp = p;
|
|
|
|
if (overflow) {
|
|
errno = EOVERFLOW;
|
|
value = -1;
|
|
}
|
|
return value;
|
|
}
|
|
|
|
/* Read the system's package database and extract information about
|
|
* 'pkgname'. Return 0 in case of success, or -1 in case of error.
|
|
*
|
|
* If the package is unknown, return -1 and set errno to ENOENT
|
|
* If the package database is corrupted, return -1 and set errno to EINVAL
|
|
*/
|
|
int
|
|
get_package_info(const char* pkgName, uid_t userId, PackageInfo *info)
|
|
{
|
|
char* buffer;
|
|
size_t buffer_len;
|
|
const char* p;
|
|
const char* buffer_end;
|
|
int result = -1;
|
|
|
|
info->uid = 0;
|
|
info->isDebuggable = 0;
|
|
info->dataDir[0] = '\0';
|
|
info->seinfo[0] = '\0';
|
|
|
|
buffer = map_file(PACKAGES_LIST_FILE, &buffer_len);
|
|
if (buffer == NULL)
|
|
return -1;
|
|
|
|
p = buffer;
|
|
buffer_end = buffer + buffer_len;
|
|
|
|
/* expect the following format on each line of the control file:
|
|
*
|
|
* <pkgName> <uid> <debugFlag> <dataDir> <seinfo>
|
|
*
|
|
* where:
|
|
* <pkgName> is the package's name
|
|
* <uid> is the application-specific user Id (decimal)
|
|
* <debugFlag> is 1 if the package is debuggable, or 0 otherwise
|
|
* <dataDir> is the path to the package's data directory (e.g. /data/data/com.example.foo)
|
|
* <seinfo> is the seinfo label associated with the package
|
|
*
|
|
* The file is generated in com.android.server.PackageManagerService.Settings.writeLP()
|
|
*/
|
|
|
|
while (p < buffer_end) {
|
|
/* find end of current line and start of next one */
|
|
const char* end = find_first(p, buffer_end, '\n');
|
|
const char* next = (end < buffer_end) ? end + 1 : buffer_end;
|
|
const char* q;
|
|
int uid, debugFlag;
|
|
|
|
/* first field is the package name */
|
|
p = compare_name(p, end, pkgName);
|
|
if (p == NULL)
|
|
goto NEXT_LINE;
|
|
|
|
/* skip spaces */
|
|
if (parse_spaces(&p, end) < 0)
|
|
goto BAD_FORMAT;
|
|
|
|
/* second field is the pid */
|
|
uid = parse_positive_decimal(&p, end);
|
|
if (uid < 0)
|
|
return -1;
|
|
|
|
info->uid = (uid_t) uid;
|
|
|
|
/* skip spaces */
|
|
if (parse_spaces(&p, end) < 0)
|
|
goto BAD_FORMAT;
|
|
|
|
/* third field is debug flag (0 or 1) */
|
|
debugFlag = parse_positive_decimal(&p, end);
|
|
switch (debugFlag) {
|
|
case 0:
|
|
info->isDebuggable = 0;
|
|
break;
|
|
case 1:
|
|
info->isDebuggable = 1;
|
|
break;
|
|
default:
|
|
goto BAD_FORMAT;
|
|
}
|
|
|
|
/* skip spaces */
|
|
if (parse_spaces(&p, end) < 0)
|
|
goto BAD_FORMAT;
|
|
|
|
/* fourth field is data directory path and must not contain
|
|
* spaces.
|
|
*/
|
|
q = skip_non_spaces(p, end);
|
|
if (q == p)
|
|
goto BAD_FORMAT;
|
|
|
|
/* If userId == 0 (i.e. user is device owner) we can use dataDir value
|
|
* from packages.list, otherwise compose data directory as
|
|
* /data/user/$uid/$packageId
|
|
*/
|
|
if (userId == 0) {
|
|
p = string_copy(info->dataDir, sizeof info->dataDir, p, q - p);
|
|
} else {
|
|
snprintf(info->dataDir,
|
|
sizeof info->dataDir,
|
|
"/data/user/%d/%s",
|
|
userId,
|
|
pkgName);
|
|
p = q;
|
|
}
|
|
|
|
/* skip spaces */
|
|
if (parse_spaces(&p, end) < 0)
|
|
goto BAD_FORMAT;
|
|
|
|
/* fifth field is the seinfo string */
|
|
q = skip_non_spaces(p, end);
|
|
if (q == p)
|
|
goto BAD_FORMAT;
|
|
|
|
string_copy(info->seinfo, sizeof info->seinfo, p, q - p);
|
|
|
|
/* Ignore the rest */
|
|
result = 0;
|
|
goto EXIT;
|
|
|
|
NEXT_LINE:
|
|
p = next;
|
|
}
|
|
|
|
/* the package is unknown */
|
|
errno = ENOENT;
|
|
result = -1;
|
|
goto EXIT;
|
|
|
|
BAD_FORMAT:
|
|
errno = EINVAL;
|
|
result = -1;
|
|
|
|
EXIT:
|
|
unmap_file(buffer, buffer_len);
|
|
return result;
|
|
}
|