platform_system_core/run-as/run-as.c

/*
**
** Copyright 2010, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
**     http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/

#define PROGNAME "run-as"
#define LOG_TAG  PROGNAME

#include <dirent.h>
#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/capability.h>
#include <sys/cdefs.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>

#include <private/android_filesystem_config.h>
#include <selinux/android.h>

#include "package.h"

/*
 *  WARNING WARNING WARNING WARNING
 *
 *  This program runs with CAP_SETUID and CAP_SETGID capabilities on Android
 *  production devices. Be very conservative when modifying it to avoid any
 *  serious security issue. Keep in mind the following:
 *
 *  - This program should only run for the 'root' or 'shell' users
 *
 *  - Avoid anything that is more complex than simple system calls
 *    until the uid/gid has been dropped to that of a normal user
 *    or you are sure to exit.
 *
 *    This avoids depending on environment variables, system properties
 *    and other external factors that may affect the C library in
 *    unpredictable ways.
 *
 *  - Do not trust user input and/or the filesystem whenever possible.
 *
 *  Read README.TXT for more details.
 *
 *
 *
 * The purpose of this program is to run a command as a specific
 * application user-id. Typical usage is:
 *
 *   run-as <package-name> <command> <args>
 *
 *  The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
 *  capabilities, but will check the following:
 *
 *  - that it is invoked from the 'shell' or 'root' user (abort otherwise)
 *  - that '<package-name>' is the name of an installed and debuggable package
 *  - that the package's data directory is well-formed (see package.c)
 *
 *  If so, it will drop to the application's user id / group id, cd to the
 *  package's data directory, then run the command there.
 *
 *  NOTE: In the future it might not be possible to cd to the package's data
 *  directory under that package's user id / group id, in which case this
 *  utility will need to be changed accordingly.
 *
 *  This can be useful for a number of different things on production devices:
 *
 *  - Allow application developers to look at their own applicative data
 *    during development.
 *
 *  - Run the 'gdbserver' binary executable to allow native debugging
 */

__noreturn static void
panic(const char* format, ...)
{
    va_list args;
    int e = errno;

    fprintf(stderr, "%s: ", PROGNAME);
    va_start(args, format);
    vfprintf(stderr, format, args);
    va_end(args);
    exit(e ? -e : 1);
}

static void
usage(void)
{
    panic("Usage:\n    " PROGNAME " <package-name> <command> [<args>]\n");
}

int main(int argc, char **argv)
{
    const char* pkgname;
    int myuid, uid, gid;
    PackageInfo info;
    struct __user_cap_header_struct capheader;
    struct __user_cap_data_struct capdata[2];

    /* check arguments */
    if (argc < 2) {
        usage();
    }

    /* check userid of caller - must be 'shell' or 'root' */
    myuid = getuid();
    if (myuid != AID_SHELL && myuid != AID_ROOT) {
        panic("only 'shell' or 'root' users can run this program\n");
    }

    memset(&capheader, 0, sizeof(capheader));
    memset(&capdata, 0, sizeof(capdata));
    capheader.version = _LINUX_CAPABILITY_VERSION_3;
    capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
    capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
    capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
    capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);

    if (capset(&capheader, &capdata[0]) < 0) {
        panic("Could not set capabilities: %s\n", strerror(errno));
    }

    /* retrieve package information from system (does setegid) */
    pkgname = argv[1];
    if (get_package_info(pkgname, &info) < 0) {
        panic("Package '%s' is unknown\n", pkgname);
    }

    /* reject system packages */
    if (info.uid < AID_APP) {
        panic("Package '%s' is not an application\n", pkgname);
    }

    /* reject any non-debuggable package */
    if (!info.isDebuggable) {
        panic("Package '%s' is not debuggable\n", pkgname);
    }

    /* check that the data directory path is valid */
    if (check_data_path(info.dataDir, info.uid) < 0) {
        panic("Package '%s' has corrupt installation\n", pkgname);
    }

    /* Ensure that we change all real/effective/saved IDs at the
     * same time to avoid nasty surprises.
     */
    uid = gid = info.uid;
    if(setresgid(gid,gid,gid) || setresuid(uid,uid,uid)) {
        panic("Permission denied\n");
    }

    /* Required if caller has uid and gid all non-zero */
    memset(&capdata, 0, sizeof(capdata));
    if (capset(&capheader, &capdata[0]) < 0) {
        panic("Could not clear all capabilities: %s\n", strerror(errno));
    }

    if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) {
        panic("Could not set SELinux security context: %s\n", strerror(errno));
    }

    /* cd into the data directory */
    if (TEMP_FAILURE_RETRY(chdir(info.dataDir)) < 0) {
        panic("Could not cd to package's data directory: %s\n", strerror(errno));
    }

    /* User specified command for exec. */
    if ((argc >= 3) && (execvp(argv[2], argv+2) < 0)) {
        panic("exec failed for %s: %s\n", argv[2], strerror(errno));
    }

    /* Default exec shell. */
    execlp("/system/bin/sh", "sh", NULL);

    panic("exec failed: %s\n", strerror(errno));
}