|
43 | 43 |
|
44 | 44 | static const char* root_seclabel = nullptr; |
45 | 45 |
|
46 | | -static void drop_capabilities_bounding_set_if_needed() { |
47 | | -#ifdef ALLOW_ADBD_ROOT |
48 | | - char value[PROPERTY_VALUE_MAX]; |
49 | | - property_get("ro.debuggable", value, ""); |
50 | | - if (strcmp(value, "1") == 0) { |
51 | | - return; |
52 | | - } |
53 | | -#endif |
54 | | - for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) { |
55 | | - if (i == CAP_SETUID || i == CAP_SETGID) { |
56 | | - // CAP_SETUID CAP_SETGID needed by /system/bin/run-as |
57 | | - continue; |
58 | | - } |
59 | | - |
60 | | - if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) { |
61 | | - PLOG(FATAL) << "Could not drop capabilities"; |
62 | | - } |
63 | | - } |
64 | | -} |
65 | | - |
66 | | -static bool should_drop_privileges() { |
67 | | -#if defined(ALLOW_ADBD_ROOT) |
68 | | - char value[PROPERTY_VALUE_MAX]; |
69 | | - |
70 | | - // The properties that affect `adb root` and `adb unroot` are ro.secure and |
71 | | - // ro.debuggable. In this context the names don't make the expected behavior |
72 | | - // particularly obvious. |
73 | | - // |
74 | | - // ro.debuggable: |
75 | | - // Allowed to become root, but not necessarily the default. Set to 1 on |
76 | | - // eng and userdebug builds. |
77 | | - // |
78 | | - // ro.secure: |
79 | | - // Drop privileges by default. Set to 1 on userdebug and user builds. |
80 | | - property_get("ro.secure", value, "1"); |
81 | | - bool ro_secure = (strcmp(value, "1") == 0); |
82 | | - |
83 | | - property_get("ro.debuggable", value, ""); |
84 | | - bool ro_debuggable = (strcmp(value, "1") == 0); |
85 | | - |
86 | | - // Drop privileges if ro.secure is set... |
87 | | - bool drop = ro_secure; |
88 | | - |
89 | | - property_get("service.adb.root", value, ""); |
90 | | - bool adb_root = (strcmp(value, "1") == 0); |
91 | | - bool adb_unroot = (strcmp(value, "0") == 0); |
92 | | - |
93 | | - // ... except "adb root" lets you keep privileges in a debuggable build. |
94 | | - if (ro_debuggable && adb_root) { |
95 | | - drop = false; |
96 | | - } |
97 | | - |
98 | | - // ... and "adb unroot" lets you explicitly drop privileges. |
99 | | - if (adb_unroot) { |
100 | | - drop = true; |
101 | | - } |
102 | | - |
103 | | - return drop; |
104 | | -#else |
105 | | - return true; // "adb root" not allowed, always drop privileges. |
106 | | -#endif // ALLOW_ADBD_ROOT |
107 | | -} |
108 | | - |
109 | | -static void drop_privileges(int server_port) { |
110 | | - std::unique_ptr<minijail, void (*)(minijail*)> jail(minijail_new(), |
111 | | - &minijail_destroy); |
112 | | - |
113 | | - // Add extra groups: |
114 | | - // AID_ADB to access the USB driver |
115 | | - // AID_LOG to read system logs (adb logcat) |
116 | | - // AID_INPUT to diagnose input issues (getevent) |
117 | | - // AID_INET to diagnose network issues (ping) |
118 | | - // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump) |
119 | | - // AID_SDCARD_R to allow reading from the SD card |
120 | | - // AID_SDCARD_RW to allow writing to the SD card |
121 | | - // AID_NET_BW_STATS to read out qtaguid statistics |
122 | | - // AID_READPROC for reading /proc entries across UID boundaries |
123 | | - gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, |
124 | | - AID_INET, AID_NET_BT, AID_NET_BT_ADMIN, |
125 | | - AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS, |
126 | | - AID_READPROC}; |
127 | | - minijail_set_supplementary_gids(jail.get(), |
128 | | - sizeof(groups) / sizeof(groups[0]), |
129 | | - groups); |
130 | | - |
131 | | - // Don't listen on a port (default 5037) if running in secure mode. |
132 | | - // Don't run as root if running in secure mode. |
133 | | - if (should_drop_privileges()) { |
134 | | - drop_capabilities_bounding_set_if_needed(); |
135 | | - |
136 | | - minijail_change_gid(jail.get(), AID_SHELL); |
137 | | - minijail_change_uid(jail.get(), AID_SHELL); |
138 | | - // minijail_enter() will abort if any priv-dropping step fails. |
139 | | - minijail_enter(jail.get()); |
140 | | - |
141 | | - D("Local port disabled"); |
142 | | - } else { |
143 | | - // minijail_enter() will abort if any priv-dropping step fails. |
144 | | - minijail_enter(jail.get()); |
145 | | - |
146 | | - if (root_seclabel != nullptr) { |
147 | | - if (selinux_android_setcon(root_seclabel) < 0) { |
148 | | - LOG(FATAL) << "Could not set SELinux context"; |
149 | | - } |
150 | | - } |
151 | | - std::string error; |
152 | | - std::string local_name = |
153 | | - android::base::StringPrintf("tcp:%d", server_port); |
154 | | - if (install_listener(local_name, "*smartsocket*", nullptr, 0, |
155 | | - &error)) { |
156 | | - LOG(FATAL) << "Could not install *smartsocket* listener: " |
157 | | - << error; |
158 | | - } |
159 | | - } |
160 | | -} |
161 | | - |
162 | 46 | int adbd_main(int server_port) { |
163 | 47 | umask(0); |
164 | 48 |
|
@@ -186,8 +70,6 @@ int adbd_main(int server_port) { |
186 | 70 | " unchanged.\n"); |
187 | 71 | } |
188 | 72 |
|
189 | | - drop_privileges(server_port); |
190 | | - |
191 | 73 | bool is_usb = false; |
192 | 74 | if (access(USB_ADB_PATH, F_OK) == 0 || access(USB_FFS_ADB_EP0, F_OK) == 0) { |
193 | 75 | // Listen on USB. |
|
0 commit comments