1 /* 2 ** 3 ** Copyright 2010, The Android Open Source Project 4 ** 5 ** Licensed under the Apache License, Version 2.0 (the "License"); 6 ** you may not use this file except in compliance with the License. 7 ** You may obtain a copy of the License at 8 ** 9 ** http://www.apache.org/licenses/LICENSE-2.0 10 ** 11 ** Unless required by applicable law or agreed to in writing, software 12 ** distributed under the License is distributed on an "AS IS" BASIS, 13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 ** See the License for the specific language governing permissions and 15 ** limitations under the License. 16 */ 17 18 #define PROGNAME "run-as" 19 #define LOG_TAG PROGNAME 20 21 #include <dirent.h> 22 #include <errno.h> 23 #include <paths.h> 24 #include <pwd.h> 25 #include <stdarg.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <sys/capability.h> 30 #include <sys/cdefs.h> 31 #include <sys/stat.h> 32 #include <sys/types.h> 33 #include <time.h> 34 #include <unistd.h> 35 36 #include <private/android_filesystem_config.h> 37 #include <selinux/android.h> 38 39 #include "package.h" 40 41 /* 42 * WARNING WARNING WARNING WARNING 43 * 44 * This program runs with CAP_SETUID and CAP_SETGID capabilities on Android 45 * production devices. Be very conservative when modifying it to avoid any 46 * serious security issue. Keep in mind the following: 47 * 48 * - This program should only run for the 'root' or 'shell' users 49 * 50 * - Avoid anything that is more complex than simple system calls 51 * until the uid/gid has been dropped to that of a normal user 52 * or you are sure to exit. 53 * 54 * This avoids depending on environment variables, system properties 55 * and other external factors that may affect the C library in 56 * unpredictable ways. 57 * 58 * - Do not trust user input and/or the filesystem whenever possible. 59 * 60 * Read README.TXT for more details. 61 * 62 * 63 * 64 * The purpose of this program is to run a command as a specific 65 * application user-id. Typical usage is: 66 * 67 * run-as <package-name> <command> <args> 68 * 69 * The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file 70 * capabilities, but will check the following: 71 * 72 * - that it is invoked from the 'shell' or 'root' user (abort otherwise) 73 * - that '<package-name>' is the name of an installed and debuggable package 74 * - that the package's data directory is well-formed (see package.c) 75 * 76 * If so, it will drop to the application's user id / group id, cd to the 77 * package's data directory, then run the command there. 78 * 79 * NOTE: In the future it might not be possible to cd to the package's data 80 * directory under that package's user id / group id, in which case this 81 * utility will need to be changed accordingly. 82 * 83 * This can be useful for a number of different things on production devices: 84 * 85 * - Allow application developers to look at their own applicative data 86 * during development. 87 * 88 * - Run the 'gdbserver' binary executable to allow native debugging 89 */ 90 91 __noreturn static void 92 panic(const char* format, ...) 93 { 94 va_list args; 95 int e = errno; 96 97 fprintf(stderr, "%s: ", PROGNAME); 98 va_start(args, format); 99 vfprintf(stderr, format, args); 100 va_end(args); 101 exit(e ? -e : 1); 102 } 103 104 static void 105 usage(void) 106 { 107 panic("Usage:\n " PROGNAME " <package-name> [--user <uid>] <command> [<args>]\n"); 108 } 109 110 int main(int argc, char **argv) 111 { 112 const char* pkgname; 113 uid_t myuid, uid, gid, userAppId = 0; 114 int commandArgvOfs = 2, userId = 0; 115 PackageInfo info; 116 struct __user_cap_header_struct capheader; 117 struct __user_cap_data_struct capdata[2]; 118 119 /* check arguments */ 120 if (argc < 2) { 121 usage(); 122 } 123 124 /* check userid of caller - must be 'shell' or 'root' */ 125 myuid = getuid(); 126 if (myuid != AID_SHELL && myuid != AID_ROOT) { 127 panic("only 'shell' or 'root' users can run this program\n"); 128 } 129 130 memset(&capheader, 0, sizeof(capheader)); 131 memset(&capdata, 0, sizeof(capdata)); 132 capheader.version = _LINUX_CAPABILITY_VERSION_3; 133 capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID); 134 capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID); 135 capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID); 136 capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID); 137 138 if (capset(&capheader, &capdata[0]) < 0) { 139 panic("Could not set capabilities: %s\n", strerror(errno)); 140 } 141 142 pkgname = argv[1]; 143 144 /* get user_id from command line if provided */ 145 if ((argc >= 4) && !strcmp(argv[2], "--user")) { 146 userId = atoi(argv[3]); 147 if (userId < 0) 148 panic("Negative user id %d is provided\n", userId); 149 commandArgvOfs += 2; 150 } 151 152 /* retrieve package information from system (does setegid) */ 153 if (get_package_info(pkgname, userId, &info) < 0) { 154 panic("Package '%s' is unknown\n", pkgname); 155 } 156 157 /* verify that user id is not too big. */ 158 if ((UID_MAX - info.uid) / AID_USER < (uid_t)userId) { 159 panic("User id %d is too big\n", userId); 160 } 161 162 /* calculate user app ID. */ 163 userAppId = (AID_USER * userId) + info.uid; 164 165 /* reject system packages */ 166 if (userAppId < AID_APP) { 167 panic("Package '%s' is not an application\n", pkgname); 168 } 169 170 /* reject any non-debuggable package */ 171 if (!info.isDebuggable) { 172 panic("Package '%s' is not debuggable\n", pkgname); 173 } 174 175 /* check that the data directory path is valid */ 176 if (check_data_path(info.dataDir, userAppId) < 0) { 177 panic("Package '%s' has corrupt installation\n", pkgname); 178 } 179 180 /* Ensure that we change all real/effective/saved IDs at the 181 * same time to avoid nasty surprises. 182 */ 183 uid = gid = userAppId; 184 if(setresgid(gid,gid,gid) || setresuid(uid,uid,uid)) { 185 panic("Permission denied\n"); 186 } 187 188 /* Required if caller has uid and gid all non-zero */ 189 memset(&capdata, 0, sizeof(capdata)); 190 if (capset(&capheader, &capdata[0]) < 0) { 191 panic("Could not clear all capabilities: %s\n", strerror(errno)); 192 } 193 194 if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) { 195 panic("Could not set SELinux security context: %s\n", strerror(errno)); 196 } 197 198 // cd into the data directory, and set $HOME correspondingly. 199 if (TEMP_FAILURE_RETRY(chdir(info.dataDir)) < 0) { 200 panic("Could not cd to package's data directory: %s\n", strerror(errno)); 201 } 202 setenv("HOME", info.dataDir, 1); 203 204 // Reset parts of the environment, like su would. 205 setenv("PATH", _PATH_DEFPATH, 1); 206 unsetenv("IFS"); 207 208 // Set the user-specific parts for this user. 209 struct passwd* pw = getpwuid(uid); 210 setenv("LOGNAME", pw->pw_name, 1); 211 setenv("SHELL", pw->pw_shell, 1); 212 setenv("USER", pw->pw_name, 1); 213 214 /* User specified command for exec. */ 215 if ((argc >= commandArgvOfs + 1) && 216 (execvp(argv[commandArgvOfs], argv+commandArgvOfs) < 0)) { 217 panic("exec failed for %s: %s\n", argv[commandArgvOfs], strerror(errno)); 218 } 219 220 /* Default exec shell. */ 221 execlp("/system/bin/sh", "sh", NULL); 222 223 panic("exec failed: %s\n", strerror(errno)); 224 } 225
