1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define TRACE_TAG ADB 18 19 #include "sysdeps.h" 20 21 #include <errno.h> 22 #include <getopt.h> 23 #include <signal.h> 24 #include <stdio.h> 25 #include <stdlib.h> 26 #include <sys/capability.h> 27 #include <sys/prctl.h> 28 29 #include <memory> 30 31 #include <android-base/logging.h> 32 #include <android-base/macros.h> 33 #include <android-base/properties.h> 34 #include <android-base/stringprintf.h> 35 #include <libminijail.h> 36 #include <log/log_properties.h> 37 #include <scoped_minijail.h> 38 39 #include <private/android_filesystem_config.h> 40 #include "debuggerd/handler.h" 41 #include "selinux/android.h" 42 43 #include "adb.h" 44 #include "adb_auth.h" 45 #include "adb_listeners.h" 46 #include "adb_utils.h" 47 #include "transport.h" 48 49 #include "mdns.h" 50 51 static const char* root_seclabel = nullptr; 52 53 static bool should_drop_capabilities_bounding_set() { 54 #if defined(ALLOW_ADBD_ROOT) 55 if (__android_log_is_debuggable()) { 56 return false; 57 } 58 #endif 59 return true; 60 } 61 62 static bool should_drop_privileges() { 63 #if defined(ALLOW_ADBD_ROOT) 64 // The properties that affect `adb root` and `adb unroot` are ro.secure and 65 // ro.debuggable. In this context the names don't make the expected behavior 66 // particularly obvious. 67 // 68 // ro.debuggable: 69 // Allowed to become root, but not necessarily the default. Set to 1 on 70 // eng and userdebug builds. 71 // 72 // ro.secure: 73 // Drop privileges by default. Set to 1 on userdebug and user builds. 74 bool ro_secure = android::base::GetBoolProperty("ro.secure", true); 75 bool ro_debuggable = __android_log_is_debuggable(); 76 77 // Drop privileges if ro.secure is set... 78 bool drop = ro_secure; 79 80 // ... except "adb root" lets you keep privileges in a debuggable build. 81 std::string prop = android::base::GetProperty("service.adb.root", ""); 82 bool adb_root = (prop == "1"); 83 bool adb_unroot = (prop == "0"); 84 if (ro_debuggable && adb_root) { 85 drop = false; 86 } 87 // ... and "adb unroot" lets you explicitly drop privileges. 88 if (adb_unroot) { 89 drop = true; 90 } 91 92 return drop; 93 #else 94 return true; // "adb root" not allowed, always drop privileges. 95 #endif // ALLOW_ADBD_ROOT 96 } 97 98 static void drop_privileges(int server_port) { 99 ScopedMinijail jail(minijail_new()); 100 101 // Add extra groups: 102 // AID_ADB to access the USB driver 103 // AID_LOG to read system logs (adb logcat) 104 // AID_INPUT to diagnose input issues (getevent) 105 // AID_INET to diagnose network issues (ping) 106 // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump) 107 // AID_SDCARD_R to allow reading from the SD card 108 // AID_SDCARD_RW to allow writing to the SD card 109 // AID_NET_BW_STATS to read out qtaguid statistics 110 // AID_READPROC for reading /proc entries across UID boundaries 111 // AID_UHID for using 'hid' command to read/write to /dev/uhid 112 gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, AID_INET, 113 AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW, 114 AID_NET_BW_STATS, AID_READPROC, AID_UHID}; 115 minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups); 116 117 // Don't listen on a port (default 5037) if running in secure mode. 118 // Don't run as root if running in secure mode. 119 if (should_drop_privileges()) { 120 const bool should_drop_caps = should_drop_capabilities_bounding_set(); 121 122 if (should_drop_caps) { 123 minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); 124 } 125 126 minijail_change_gid(jail.get(), AID_SHELL); 127 minijail_change_uid(jail.get(), AID_SHELL); 128 // minijail_enter() will abort if any priv-dropping step fails. 129 minijail_enter(jail.get()); 130 131 // Whenever ambient capabilities are being used, minijail cannot 132 // simultaneously drop the bounding capability set to just 133 // CAP_SETUID|CAP_SETGID while clearing the inheritable, effective, 134 // and permitted sets. So we need to do that in two steps. 135 using ScopedCaps = 136 std::unique_ptr<std::remove_pointer<cap_t>::type, std::function<void(cap_t)>>; 137 ScopedCaps caps(cap_get_proc(), &cap_free); 138 if (cap_clear_flag(caps.get(), CAP_INHERITABLE) == -1) { 139 PLOG(FATAL) << "cap_clear_flag(INHERITABLE) failed"; 140 } 141 if (cap_clear_flag(caps.get(), CAP_EFFECTIVE) == -1) { 142 PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed"; 143 } 144 if (cap_clear_flag(caps.get(), CAP_PERMITTED) == -1) { 145 PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed"; 146 } 147 if (cap_set_proc(caps.get()) != 0) { 148 PLOG(FATAL) << "cap_set_proc() failed"; 149 } 150 151 D("Local port disabled"); 152 } else { 153 // minijail_enter() will abort if any priv-dropping step fails. 154 minijail_enter(jail.get()); 155 156 if (root_seclabel != nullptr) { 157 if (selinux_android_setcon(root_seclabel) < 0) { 158 LOG(FATAL) << "Could not set SELinux context"; 159 } 160 } 161 std::string error; 162 std::string local_name = 163 android::base::StringPrintf("tcp:%d", server_port); 164 if (install_listener(local_name, "*smartsocket*", nullptr, 0, nullptr, &error)) { 165 LOG(FATAL) << "Could not install *smartsocket* listener: " << error; 166 } 167 } 168 } 169 170 static void setup_port(int port) { 171 local_init(port); 172 setup_mdns(port); 173 } 174 175 int adbd_main(int server_port) { 176 umask(0); 177 178 signal(SIGPIPE, SIG_IGN); 179 180 init_transport_registration(); 181 182 // We need to call this even if auth isn't enabled because the file 183 // descriptor will always be open. 184 adbd_cloexec_auth_socket(); 185 186 if (ALLOW_ADBD_NO_AUTH && !android::base::GetBoolProperty("ro.adb.secure", false)) { 187 auth_required = false; 188 } 189 190 adbd_auth_init(); 191 192 // Our external storage path may be different than apps, since 193 // we aren't able to bind mount after dropping root. 194 const char* adb_external_storage = getenv("ADB_EXTERNAL_STORAGE"); 195 if (adb_external_storage != nullptr) { 196 setenv("EXTERNAL_STORAGE", adb_external_storage, 1); 197 } else { 198 D("Warning: ADB_EXTERNAL_STORAGE is not set. Leaving EXTERNAL_STORAGE" 199 " unchanged.\n"); 200 } 201 202 drop_privileges(server_port); 203 204 bool is_usb = false; 205 if (access(USB_FFS_ADB_EP0, F_OK) == 0) { 206 // Listen on USB. 207 usb_init(); 208 is_usb = true; 209 } 210 211 // If one of these properties is set, also listen on that port. 212 // If one of the properties isn't set and we couldn't listen on usb, listen 213 // on the default port. 214 std::string prop_port = android::base::GetProperty("service.adb.tcp.port", ""); 215 if (prop_port.empty()) { 216 prop_port = android::base::GetProperty("persist.adb.tcp.port", ""); 217 } 218 219 int port; 220 if (sscanf(prop_port.c_str(), "%d", &port) == 1 && port > 0) { 221 D("using port=%d", port); 222 // Listen on TCP port specified by service.adb.tcp.port property. 223 setup_port(port); 224 } else if (!is_usb) { 225 // Listen on default port. 226 setup_port(DEFAULT_ADB_LOCAL_TRANSPORT_PORT); 227 } 228 229 D("adbd_main(): pre init_jdwp()"); 230 init_jdwp(); 231 D("adbd_main(): post init_jdwp()"); 232 233 D("Event loop starting"); 234 fdevent_loop(); 235 236 return 0; 237 } 238 239 int main(int argc, char** argv) { 240 while (true) { 241 static struct option opts[] = { 242 {"root_seclabel", required_argument, nullptr, 's'}, 243 {"device_banner", required_argument, nullptr, 'b'}, 244 {"version", no_argument, nullptr, 'v'}, 245 }; 246 247 int option_index = 0; 248 int c = getopt_long(argc, argv, "", opts, &option_index); 249 if (c == -1) { 250 break; 251 } 252 253 switch (c) { 254 case 's': 255 root_seclabel = optarg; 256 break; 257 case 'b': 258 adb_device_banner = optarg; 259 break; 260 case 'v': 261 printf("Android Debug Bridge Daemon version %d.%d.%d\n", ADB_VERSION_MAJOR, 262 ADB_VERSION_MINOR, ADB_SERVER_VERSION); 263 return 0; 264 default: 265 // getopt already prints "adbd: invalid option -- %c" for us. 266 return 1; 267 } 268 } 269 270 close_stdin(); 271 272 debuggerd_init(nullptr); 273 adb_trace_init(argv); 274 275 D("Handling main()"); 276 return adbd_main(DEFAULT_ADB_PORT); 277 } 278
