1 /* 2 ** 3 ** Copyright 2010, The Android Open Source Project 4 ** 5 ** Licensed under the Apache License, Version 2.0 (the "License"); 6 ** you may not use this file except in compliance with the License. 7 ** You may obtain a copy of the License at 8 ** 9 ** http://www.apache.org/licenses/LICENSE-2.0 10 ** 11 ** Unless required by applicable law or agreed to in writing, software 12 ** distributed under the License is distributed on an "AS IS" BASIS, 13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 ** See the License for the specific language governing permissions and 15 ** limitations under the License. 16 */ 17 #include <errno.h> 18 #include <fcntl.h> 19 #include <unistd.h> 20 #include <sys/stat.h> 21 #include <sys/mman.h> 22 #include <private/android_filesystem_config.h> 23 #include "package.h" 24 25 /* 26 * WARNING WARNING WARNING WARNING 27 * 28 * The following code runs as root on production devices, before 29 * the run-as command has dropped the uid/gid. Hence be very 30 * conservative and keep in mind the following: 31 * 32 * - Performance does not matter here, clarity and safety of the code 33 * does however. Documentation is a must. 34 * 35 * - Avoid calling C library functions with complex implementations 36 * like malloc() and printf(). You want to depend on simple system 37 * calls instead, which behaviour is not going to be altered in 38 * unpredictible ways by environment variables or system properties. 39 * 40 * - Do not trust user input and/or the filesystem whenever possible. 41 * 42 */ 43 44 /* The file containing the list of installed packages on the system */ 45 #define PACKAGES_LIST_FILE "/data/system/packages.list" 46 47 /* Copy 'srclen' string bytes from 'src' into buffer 'dst' of size 'dstlen' 48 * This function always zero-terminate the destination buffer unless 49 * 'dstlen' is 0, even in case of overflow. 50 * Returns a pointer into the src string, leaving off where the copy 51 * has stopped. The copy will stop when dstlen, srclen or a null 52 * character on src has been reached. 53 */ 54 static const char* 55 string_copy(char* dst, size_t dstlen, const char* src, size_t srclen) 56 { 57 const char* srcend = src + srclen; 58 const char* dstend = dst + dstlen; 59 60 if (dstlen == 0) 61 return src; 62 63 dstend--; /* make room for terminating zero */ 64 65 while (dst < dstend && src < srcend && *src != '\0') 66 *dst++ = *src++; 67 68 *dst = '\0'; /* zero-terminate result */ 69 return src; 70 } 71 72 /* Open 'filename' and map it into our address-space. 73 * Returns buffer address, or NULL on error 74 * On exit, *filesize will be set to the file's size, or 0 on error 75 */ 76 static void* 77 map_file(const char* filename, size_t* filesize) 78 { 79 int fd, ret, old_errno; 80 struct stat st; 81 size_t length = 0; 82 void* address = NULL; 83 gid_t oldegid; 84 85 *filesize = 0; 86 87 /* 88 * Temporarily switch effective GID to allow us to read 89 * the packages file 90 */ 91 92 oldegid = getegid(); 93 if (setegid(AID_PACKAGE_INFO) < 0) { 94 return NULL; 95 } 96 97 /* open the file for reading */ 98 fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY)); 99 if (fd < 0) { 100 return NULL; 101 } 102 103 /* restore back to our old egid */ 104 if (setegid(oldegid) < 0) { 105 goto EXIT; 106 } 107 108 /* get its size */ 109 ret = TEMP_FAILURE_RETRY(fstat(fd, &st)); 110 if (ret < 0) 111 goto EXIT; 112 113 /* Ensure that the file is owned by the system user */ 114 if ((st.st_uid != AID_SYSTEM) || (st.st_gid != AID_PACKAGE_INFO)) { 115 goto EXIT; 116 } 117 118 /* Ensure that the file has sane permissions */ 119 if ((st.st_mode & S_IWOTH) != 0) { 120 goto EXIT; 121 } 122 123 /* Ensure that the size is not ridiculously large */ 124 length = (size_t)st.st_size; 125 if ((off_t)length != st.st_size) { 126 errno = ENOMEM; 127 goto EXIT; 128 } 129 130 /* Memory-map the file now */ 131 do { 132 address = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, 0); 133 } while (address == MAP_FAILED && errno == EINTR); 134 if (address == MAP_FAILED) { 135 address = NULL; 136 goto EXIT; 137 } 138 139 /* We're good, return size */ 140 *filesize = length; 141 142 EXIT: 143 /* close the file, preserve old errno for better diagnostics */ 144 old_errno = errno; 145 close(fd); 146 errno = old_errno; 147 148 return address; 149 } 150 151 /* unmap the file, but preserve errno */ 152 static void 153 unmap_file(void* address, size_t size) 154 { 155 int old_errno = errno; 156 TEMP_FAILURE_RETRY(munmap(address, size)); 157 errno = old_errno; 158 } 159 160 /* Check that a given directory: 161 * - exists 162 * - is owned by a given uid/gid 163 * - is a real directory, not a symlink 164 * - isn't readable or writable by others 165 * 166 * Return 0 on success, or -1 on error. 167 * errno is set to EINVAL in case of failed check. 168 */ 169 static int 170 check_directory_ownership(const char* path, uid_t uid) 171 { 172 int ret; 173 struct stat st; 174 175 do { 176 ret = lstat(path, &st); 177 } while (ret < 0 && errno == EINTR); 178 179 if (ret < 0) 180 return -1; 181 182 /* must be a real directory, not a symlink */ 183 if (!S_ISDIR(st.st_mode)) 184 goto BAD; 185 186 /* must be owned by specific uid/gid */ 187 if (st.st_uid != uid || st.st_gid != uid) 188 goto BAD; 189 190 /* must not be readable or writable by others */ 191 if ((st.st_mode & (S_IROTH|S_IWOTH)) != 0) 192 goto BAD; 193 194 /* everything ok */ 195 return 0; 196 197 BAD: 198 errno = EINVAL; 199 return -1; 200 } 201 202 /* This function is used to check the data directory path for safety. 203 * We check that every sub-directory is owned by the 'system' user 204 * and exists and is not a symlink. We also check that the full directory 205 * path is properly owned by the user ID. 206 * 207 * Return 0 on success, -1 on error. 208 */ 209 int 210 check_data_path(const char* dataPath, uid_t uid) 211 { 212 int nn; 213 214 /* the path should be absolute */ 215 if (dataPath[0] != '/') { 216 errno = EINVAL; 217 return -1; 218 } 219 220 /* look for all sub-paths, we do that by finding 221 * directory separators in the input path and 222 * checking each sub-path independently 223 */ 224 for (nn = 1; dataPath[nn] != '\0'; nn++) 225 { 226 char subpath[PATH_MAX]; 227 228 /* skip non-separator characters */ 229 if (dataPath[nn] != '/') 230 continue; 231 232 /* handle trailing separator case */ 233 if (dataPath[nn+1] == '\0') { 234 break; 235 } 236 237 /* found a separator, check that dataPath is not too long. */ 238 if (nn >= (int)(sizeof subpath)) { 239 errno = EINVAL; 240 return -1; 241 } 242 243 /* reject any '..' subpath */ 244 if (nn >= 3 && 245 dataPath[nn-3] == '/' && 246 dataPath[nn-2] == '.' && 247 dataPath[nn-1] == '.') { 248 errno = EINVAL; 249 return -1; 250 } 251 252 /* copy to 'subpath', then check ownership */ 253 memcpy(subpath, dataPath, nn); 254 subpath[nn] = '\0'; 255 256 if (check_directory_ownership(subpath, AID_SYSTEM) < 0) 257 return -1; 258 } 259 260 /* All sub-paths were checked, now verify that the full data 261 * directory is owned by the application uid 262 */ 263 if (check_directory_ownership(dataPath, uid) < 0) 264 return -1; 265 266 /* all clear */ 267 return 0; 268 } 269 270 /* Return TRUE iff a character is a space or tab */ 271 static inline int 272 is_space(char c) 273 { 274 return (c == ' ' || c == '\t'); 275 } 276 277 /* Skip any space or tab character from 'p' until 'end' is reached. 278 * Return new position. 279 */ 280 static const char* 281 skip_spaces(const char* p, const char* end) 282 { 283 while (p < end && is_space(*p)) 284 p++; 285 286 return p; 287 } 288 289 /* Skip any non-space and non-tab character from 'p' until 'end'. 290 * Return new position. 291 */ 292 static const char* 293 skip_non_spaces(const char* p, const char* end) 294 { 295 while (p < end && !is_space(*p)) 296 p++; 297 298 return p; 299 } 300 301 /* Find the first occurence of 'ch' between 'p' and 'end' 302 * Return its position, or 'end' if none is found. 303 */ 304 static const char* 305 find_first(const char* p, const char* end, char ch) 306 { 307 while (p < end && *p != ch) 308 p++; 309 310 return p; 311 } 312 313 /* Check that the non-space string starting at 'p' and eventually 314 * ending at 'end' equals 'name'. Return new position (after name) 315 * on success, or NULL on failure. 316 * 317 * This function fails is 'name' is NULL, empty or contains any space. 318 */ 319 static const char* 320 compare_name(const char* p, const char* end, const char* name) 321 { 322 /* 'name' must not be NULL or empty */ 323 if (name == NULL || name[0] == '\0' || p == end) 324 return NULL; 325 326 /* compare characters to those in 'name', excluding spaces */ 327 while (*name) { 328 /* note, we don't check for *p == '\0' since 329 * it will be caught in the next conditional. 330 */ 331 if (p >= end || is_space(*p)) 332 goto BAD; 333 334 if (*p != *name) 335 goto BAD; 336 337 p++; 338 name++; 339 } 340 341 /* must be followed by end of line or space */ 342 if (p < end && !is_space(*p)) 343 goto BAD; 344 345 return p; 346 347 BAD: 348 return NULL; 349 } 350 351 /* Parse one or more whitespace characters starting from '*pp' 352 * until 'end' is reached. Updates '*pp' on exit. 353 * 354 * Return 0 on success, -1 on failure. 355 */ 356 static int 357 parse_spaces(const char** pp, const char* end) 358 { 359 const char* p = *pp; 360 361 if (p >= end || !is_space(*p)) { 362 errno = EINVAL; 363 return -1; 364 } 365 p = skip_spaces(p, end); 366 *pp = p; 367 return 0; 368 } 369 370 /* Parse a positive decimal number starting from '*pp' until 'end' 371 * is reached. Adjust '*pp' on exit. Return decimal value or -1 372 * in case of error. 373 * 374 * If the value is larger than INT_MAX, -1 will be returned, 375 * and errno set to EOVERFLOW. 376 * 377 * If '*pp' does not start with a decimal digit, -1 is returned 378 * and errno set to EINVAL. 379 */ 380 static int 381 parse_positive_decimal(const char** pp, const char* end) 382 { 383 const char* p = *pp; 384 int value = 0; 385 int overflow = 0; 386 387 if (p >= end || *p < '0' || *p > '9') { 388 errno = EINVAL; 389 return -1; 390 } 391 392 while (p < end) { 393 int ch = *p; 394 unsigned d = (unsigned)(ch - '0'); 395 int val2; 396 397 if (d >= 10U) /* d is unsigned, no lower bound check */ 398 break; 399 400 val2 = value*10 + (int)d; 401 if (val2 < value) 402 overflow = 1; 403 value = val2; 404 p++; 405 } 406 *pp = p; 407 408 if (overflow) { 409 errno = EOVERFLOW; 410 value = -1; 411 } 412 return value; 413 } 414 415 /* Read the system's package database and extract information about 416 * 'pkgname'. Return 0 in case of success, or -1 in case of error. 417 * 418 * If the package is unknown, return -1 and set errno to ENOENT 419 * If the package database is corrupted, return -1 and set errno to EINVAL 420 */ 421 int 422 get_package_info(const char* pkgName, PackageInfo *info) 423 { 424 char* buffer; 425 size_t buffer_len; 426 const char* p; 427 const char* buffer_end; 428 int result = -1; 429 430 info->uid = 0; 431 info->isDebuggable = 0; 432 info->dataDir[0] = '\0'; 433 info->seinfo[0] = '\0'; 434 435 buffer = map_file(PACKAGES_LIST_FILE, &buffer_len); 436 if (buffer == NULL) 437 return -1; 438 439 p = buffer; 440 buffer_end = buffer + buffer_len; 441 442 /* expect the following format on each line of the control file: 443 * 444 * <pkgName> <uid> <debugFlag> <dataDir> <seinfo> 445 * 446 * where: 447 * <pkgName> is the package's name 448 * <uid> is the application-specific user Id (decimal) 449 * <debugFlag> is 1 if the package is debuggable, or 0 otherwise 450 * <dataDir> is the path to the package's data directory (e.g. /data/data/com.example.foo) 451 * <seinfo> is the seinfo label associated with the package 452 * 453 * The file is generated in com.android.server.PackageManagerService.Settings.writeLP() 454 */ 455 456 while (p < buffer_end) { 457 /* find end of current line and start of next one */ 458 const char* end = find_first(p, buffer_end, '\n'); 459 const char* next = (end < buffer_end) ? end + 1 : buffer_end; 460 const char* q; 461 int uid, debugFlag; 462 463 /* first field is the package name */ 464 p = compare_name(p, end, pkgName); 465 if (p == NULL) 466 goto NEXT_LINE; 467 468 /* skip spaces */ 469 if (parse_spaces(&p, end) < 0) 470 goto BAD_FORMAT; 471 472 /* second field is the pid */ 473 uid = parse_positive_decimal(&p, end); 474 if (uid < 0) 475 return -1; 476 477 info->uid = (uid_t) uid; 478 479 /* skip spaces */ 480 if (parse_spaces(&p, end) < 0) 481 goto BAD_FORMAT; 482 483 /* third field is debug flag (0 or 1) */ 484 debugFlag = parse_positive_decimal(&p, end); 485 switch (debugFlag) { 486 case 0: 487 info->isDebuggable = 0; 488 break; 489 case 1: 490 info->isDebuggable = 1; 491 break; 492 default: 493 goto BAD_FORMAT; 494 } 495 496 /* skip spaces */ 497 if (parse_spaces(&p, end) < 0) 498 goto BAD_FORMAT; 499 500 /* fourth field is data directory path and must not contain 501 * spaces. 502 */ 503 q = skip_non_spaces(p, end); 504 if (q == p) 505 goto BAD_FORMAT; 506 507 p = string_copy(info->dataDir, sizeof info->dataDir, p, q - p); 508 509 /* skip spaces */ 510 if (parse_spaces(&p, end) < 0) 511 goto BAD_FORMAT; 512 513 /* fifth field is the seinfo string */ 514 q = skip_non_spaces(p, end); 515 if (q == p) 516 goto BAD_FORMAT; 517 518 string_copy(info->seinfo, sizeof info->seinfo, p, q - p); 519 520 /* Ignore the rest */ 521 result = 0; 522 goto EXIT; 523 524 NEXT_LINE: 525 p = next; 526 } 527 528 /* the package is unknown */ 529 errno = ENOENT; 530 result = -1; 531 goto EXIT; 532 533 BAD_FORMAT: 534 errno = EINVAL; 535 result = -1; 536 537 EXIT: 538 unmap_file(buffer, buffer_len); 539 return result; 540 } 541
