1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define TRACE_TAG ADB 18 19 #include "sysdeps.h" 20 21 #include <errno.h> 22 #include <signal.h> 23 #include <stdio.h> 24 #include <stdlib.h> 25 #include <getopt.h> 26 #include <sys/prctl.h> 27 28 #include <memory> 29 30 #include <android-base/logging.h> 31 #include <android-base/stringprintf.h> 32 #include <libminijail.h> 33 34 #include "cutils/properties.h" 35 #include "private/android_filesystem_config.h" 36 #include "selinux/android.h" 37 38 #include "adb.h" 39 #include "adb_auth.h" 40 #include "adb_listeners.h" 41 #include "adb_utils.h" 42 #include "transport.h" 43 44 static const char* root_seclabel = nullptr; 45 46 static void drop_capabilities_bounding_set_if_needed() { 47 #ifdef ALLOW_ADBD_ROOT 48 char value[PROPERTY_VALUE_MAX]; 49 property_get("ro.debuggable", value, ""); 50 if (strcmp(value, "1") == 0) { 51 return; 52 } 53 #endif 54 for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) { 55 if (i == CAP_SETUID || i == CAP_SETGID) { 56 // CAP_SETUID CAP_SETGID needed by /system/bin/run-as 57 continue; 58 } 59 60 if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) { 61 PLOG(FATAL) << "Could not drop capabilities"; 62 } 63 } 64 } 65 66 static bool should_drop_privileges() { 67 #if defined(ALLOW_ADBD_ROOT) 68 char value[PROPERTY_VALUE_MAX]; 69 70 // The properties that affect `adb root` and `adb unroot` are ro.secure and 71 // ro.debuggable. In this context the names don't make the expected behavior 72 // particularly obvious. 73 // 74 // ro.debuggable: 75 // Allowed to become root, but not necessarily the default. Set to 1 on 76 // eng and userdebug builds. 77 // 78 // ro.secure: 79 // Drop privileges by default. Set to 1 on userdebug and user builds. 80 property_get("ro.secure", value, "1"); 81 bool ro_secure = (strcmp(value, "1") == 0); 82 83 property_get("ro.debuggable", value, ""); 84 bool ro_debuggable = (strcmp(value, "1") == 0); 85 86 // Drop privileges if ro.secure is set... 87 bool drop = ro_secure; 88 89 property_get("service.adb.root", value, ""); 90 bool adb_root = (strcmp(value, "1") == 0); 91 bool adb_unroot = (strcmp(value, "0") == 0); 92 93 // ... except "adb root" lets you keep privileges in a debuggable build. 94 if (ro_debuggable && adb_root) { 95 drop = false; 96 } 97 98 // ... and "adb unroot" lets you explicitly drop privileges. 99 if (adb_unroot) { 100 drop = true; 101 } 102 103 return drop; 104 #else 105 return true; // "adb root" not allowed, always drop privileges. 106 #endif // ALLOW_ADBD_ROOT 107 } 108 109 static void drop_privileges(int server_port) { 110 std::unique_ptr<minijail, void (*)(minijail*)> jail(minijail_new(), 111 &minijail_destroy); 112 113 // Add extra groups: 114 // AID_ADB to access the USB driver 115 // AID_LOG to read system logs (adb logcat) 116 // AID_INPUT to diagnose input issues (getevent) 117 // AID_INET to diagnose network issues (ping) 118 // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump) 119 // AID_SDCARD_R to allow reading from the SD card 120 // AID_SDCARD_RW to allow writing to the SD card 121 // AID_NET_BW_STATS to read out qtaguid statistics 122 // AID_READPROC for reading /proc entries across UID boundaries 123 gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, 124 AID_INET, AID_NET_BT, AID_NET_BT_ADMIN, 125 AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS, 126 AID_READPROC}; 127 minijail_set_supplementary_gids(jail.get(), 128 sizeof(groups) / sizeof(groups[0]), 129 groups); 130 131 // Don't listen on a port (default 5037) if running in secure mode. 132 // Don't run as root if running in secure mode. 133 if (should_drop_privileges()) { 134 drop_capabilities_bounding_set_if_needed(); 135 136 minijail_change_gid(jail.get(), AID_SHELL); 137 minijail_change_uid(jail.get(), AID_SHELL); 138 // minijail_enter() will abort if any priv-dropping step fails. 139 minijail_enter(jail.get()); 140 141 D("Local port disabled"); 142 } else { 143 // minijail_enter() will abort if any priv-dropping step fails. 144 minijail_enter(jail.get()); 145 146 if (root_seclabel != nullptr) { 147 if (selinux_android_setcon(root_seclabel) < 0) { 148 LOG(FATAL) << "Could not set SELinux context"; 149 } 150 } 151 std::string error; 152 std::string local_name = 153 android::base::StringPrintf("tcp:%d", server_port); 154 if (install_listener(local_name, "*smartsocket*", nullptr, 0, 155 &error)) { 156 LOG(FATAL) << "Could not install *smartsocket* listener: " 157 << error; 158 } 159 } 160 } 161 162 int adbd_main(int server_port) { 163 umask(0); 164 165 signal(SIGPIPE, SIG_IGN); 166 167 init_transport_registration(); 168 169 // We need to call this even if auth isn't enabled because the file 170 // descriptor will always be open. 171 adbd_cloexec_auth_socket(); 172 173 if (ALLOW_ADBD_NO_AUTH && property_get_bool("ro.adb.secure", 0) == 0) { 174 auth_required = false; 175 } 176 177 adbd_auth_init(); 178 179 // Our external storage path may be different than apps, since 180 // we aren't able to bind mount after dropping root. 181 const char* adb_external_storage = getenv("ADB_EXTERNAL_STORAGE"); 182 if (adb_external_storage != nullptr) { 183 setenv("EXTERNAL_STORAGE", adb_external_storage, 1); 184 } else { 185 D("Warning: ADB_EXTERNAL_STORAGE is not set. Leaving EXTERNAL_STORAGE" 186 " unchanged.\n"); 187 } 188 189 drop_privileges(server_port); 190 191 bool is_usb = false; 192 if (access(USB_ADB_PATH, F_OK) == 0 || access(USB_FFS_ADB_EP0, F_OK) == 0) { 193 // Listen on USB. 194 usb_init(); 195 is_usb = true; 196 } 197 198 // If one of these properties is set, also listen on that port. 199 // If one of the properties isn't set and we couldn't listen on usb, listen 200 // on the default port. 201 char prop_port[PROPERTY_VALUE_MAX]; 202 property_get("service.adb.tcp.port", prop_port, ""); 203 if (prop_port[0] == '\0') { 204 property_get("persist.adb.tcp.port", prop_port, ""); 205 } 206 207 int port; 208 if (sscanf(prop_port, "%d", &port) == 1 && port > 0) { 209 D("using port=%d", port); 210 // Listen on TCP port specified by service.adb.tcp.port property. 211 local_init(port); 212 } else if (!is_usb) { 213 // Listen on default port. 214 local_init(DEFAULT_ADB_LOCAL_TRANSPORT_PORT); 215 } 216 217 D("adbd_main(): pre init_jdwp()"); 218 init_jdwp(); 219 D("adbd_main(): post init_jdwp()"); 220 221 D("Event loop starting"); 222 fdevent_loop(); 223 224 return 0; 225 } 226 227 int main(int argc, char** argv) { 228 while (true) { 229 static struct option opts[] = { 230 {"root_seclabel", required_argument, nullptr, 's'}, 231 {"device_banner", required_argument, nullptr, 'b'}, 232 {"version", no_argument, nullptr, 'v'}, 233 }; 234 235 int option_index = 0; 236 int c = getopt_long(argc, argv, "", opts, &option_index); 237 if (c == -1) { 238 break; 239 } 240 241 switch (c) { 242 case 's': 243 root_seclabel = optarg; 244 break; 245 case 'b': 246 adb_device_banner = optarg; 247 break; 248 case 'v': 249 printf("Android Debug Bridge Daemon version %d.%d.%d %s\n", 250 ADB_VERSION_MAJOR, ADB_VERSION_MINOR, ADB_SERVER_VERSION, 251 ADB_REVISION); 252 return 0; 253 default: 254 // getopt already prints "adbd: invalid option -- %c" for us. 255 return 1; 256 } 257 } 258 259 close_stdin(); 260 261 adb_trace_init(argv); 262 263 D("Handling main()"); 264 return adbd_main(DEFAULT_ADB_PORT); 265 } 266