1 /* 2 ** 3 ** Copyright 2010, The Android Open Source Project 4 ** 5 ** Licensed under the Apache License, Version 2.0 (the "License"); 6 ** you may not use this file except in compliance with the License. 7 ** You may obtain a copy of the License at 8 ** 9 ** http://www.apache.org/licenses/LICENSE-2.0 10 ** 11 ** Unless required by applicable law or agreed to in writing, software 12 ** distributed under the License is distributed on an "AS IS" BASIS, 13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 ** See the License for the specific language governing permissions and 15 ** limitations under the License. 16 */ 17 18 #define PROGNAME "run-as" 19 #define LOG_TAG PROGNAME 20 21 #include <dirent.h> 22 #include <errno.h> 23 #include <stdarg.h> 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <string.h> 27 #include <sys/capability.h> 28 #include <sys/cdefs.h> 29 #include <sys/stat.h> 30 #include <sys/types.h> 31 #include <time.h> 32 #include <unistd.h> 33 34 #include <private/android_filesystem_config.h> 35 #include <selinux/android.h> 36 37 #include "package.h" 38 39 /* 40 * WARNING WARNING WARNING WARNING 41 * 42 * This program runs with CAP_SETUID and CAP_SETGID capabilities on Android 43 * production devices. Be very conservative when modifying it to avoid any 44 * serious security issue. Keep in mind the following: 45 * 46 * - This program should only run for the 'root' or 'shell' users 47 * 48 * - Avoid anything that is more complex than simple system calls 49 * until the uid/gid has been dropped to that of a normal user 50 * or you are sure to exit. 51 * 52 * This avoids depending on environment variables, system properties 53 * and other external factors that may affect the C library in 54 * unpredictable ways. 55 * 56 * - Do not trust user input and/or the filesystem whenever possible. 57 * 58 * Read README.TXT for more details. 59 * 60 * 61 * 62 * The purpose of this program is to run a command as a specific 63 * application user-id. Typical usage is: 64 * 65 * run-as <package-name> <command> <args> 66 * 67 * The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file 68 * capabilities, but will check the following: 69 * 70 * - that it is invoked from the 'shell' or 'root' user (abort otherwise) 71 * - that '<package-name>' is the name of an installed and debuggable package 72 * - that the package's data directory is well-formed (see package.c) 73 * 74 * If so, it will drop to the application's user id / group id, cd to the 75 * package's data directory, then run the command there. 76 * 77 * NOTE: In the future it might not be possible to cd to the package's data 78 * directory under that package's user id / group id, in which case this 79 * utility will need to be changed accordingly. 80 * 81 * This can be useful for a number of different things on production devices: 82 * 83 * - Allow application developers to look at their own applicative data 84 * during development. 85 * 86 * - Run the 'gdbserver' binary executable to allow native debugging 87 */ 88 89 __noreturn static void 90 panic(const char* format, ...) 91 { 92 va_list args; 93 int e = errno; 94 95 fprintf(stderr, "%s: ", PROGNAME); 96 va_start(args, format); 97 vfprintf(stderr, format, args); 98 va_end(args); 99 exit(e ? -e : 1); 100 } 101 102 static void 103 usage(void) 104 { 105 panic("Usage:\n " PROGNAME " <package-name> [--user <uid>] <command> [<args>]\n"); 106 } 107 108 int main(int argc, char **argv) 109 { 110 const char* pkgname; 111 uid_t myuid, uid, gid, userAppId = 0; 112 int commandArgvOfs = 2, userId = 0; 113 PackageInfo info; 114 struct __user_cap_header_struct capheader; 115 struct __user_cap_data_struct capdata[2]; 116 117 /* check arguments */ 118 if (argc < 2) { 119 usage(); 120 } 121 122 /* check userid of caller - must be 'shell' or 'root' */ 123 myuid = getuid(); 124 if (myuid != AID_SHELL && myuid != AID_ROOT) { 125 panic("only 'shell' or 'root' users can run this program\n"); 126 } 127 128 memset(&capheader, 0, sizeof(capheader)); 129 memset(&capdata, 0, sizeof(capdata)); 130 capheader.version = _LINUX_CAPABILITY_VERSION_3; 131 capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID); 132 capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID); 133 capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID); 134 capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID); 135 136 if (capset(&capheader, &capdata[0]) < 0) { 137 panic("Could not set capabilities: %s\n", strerror(errno)); 138 } 139 140 pkgname = argv[1]; 141 142 /* get user_id from command line if provided */ 143 if ((argc >= 4) && !strcmp(argv[2], "--user")) { 144 userId = atoi(argv[3]); 145 if (userId < 0) 146 panic("Negative user id %d is provided\n", userId); 147 commandArgvOfs += 2; 148 } 149 150 /* retrieve package information from system (does setegid) */ 151 if (get_package_info(pkgname, userId, &info) < 0) { 152 panic("Package '%s' is unknown\n", pkgname); 153 } 154 155 /* verify that user id is not too big. */ 156 if ((UID_MAX - info.uid) / AID_USER < (uid_t)userId) { 157 panic("User id %d is too big\n", userId); 158 } 159 160 /* calculate user app ID. */ 161 userAppId = (AID_USER * userId) + info.uid; 162 163 /* reject system packages */ 164 if (userAppId < AID_APP) { 165 panic("Package '%s' is not an application\n", pkgname); 166 } 167 168 /* reject any non-debuggable package */ 169 if (!info.isDebuggable) { 170 panic("Package '%s' is not debuggable\n", pkgname); 171 } 172 173 /* check that the data directory path is valid */ 174 if (check_data_path(info.dataDir, userAppId) < 0) { 175 panic("Package '%s' has corrupt installation\n", pkgname); 176 } 177 178 /* Ensure that we change all real/effective/saved IDs at the 179 * same time to avoid nasty surprises. 180 */ 181 uid = gid = userAppId; 182 if(setresgid(gid,gid,gid) || setresuid(uid,uid,uid)) { 183 panic("Permission denied\n"); 184 } 185 186 /* Required if caller has uid and gid all non-zero */ 187 memset(&capdata, 0, sizeof(capdata)); 188 if (capset(&capheader, &capdata[0]) < 0) { 189 panic("Could not clear all capabilities: %s\n", strerror(errno)); 190 } 191 192 if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) { 193 panic("Could not set SELinux security context: %s\n", strerror(errno)); 194 } 195 196 /* cd into the data directory */ 197 if (TEMP_FAILURE_RETRY(chdir(info.dataDir)) < 0) { 198 panic("Could not cd to package's data directory: %s\n", strerror(errno)); 199 } 200 201 /* User specified command for exec. */ 202 if ((argc >= commandArgvOfs + 1) && 203 (execvp(argv[commandArgvOfs], argv+commandArgvOfs) < 0)) { 204 panic("exec failed for %s: %s\n", argv[commandArgvOfs], strerror(errno)); 205 } 206 207 /* Default exec shell. */ 208 execlp("/system/bin/sh", "sh", NULL); 209 210 panic("exec failed: %s\n", strerror(errno)); 211 } 212
