diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp index 726d37528b0..6f174eff6ff 100644 --- a/adb/daemon/main.cpp +++ b/adb/daemon/main.cpp @@ -43,122 +43,6 @@ static const char* root_seclabel = nullptr; -static void drop_capabilities_bounding_set_if_needed() { -#ifdef ALLOW_ADBD_ROOT - char value[PROPERTY_VALUE_MAX]; - property_get("ro.debuggable", value, ""); - if (strcmp(value, "1") == 0) { - return; - } -#endif - for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) { - if (i == CAP_SETUID || i == CAP_SETGID) { - // CAP_SETUID CAP_SETGID needed by /system/bin/run-as - continue; - } - - if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) { - PLOG(FATAL) << "Could not drop capabilities"; - } - } -} - -static bool should_drop_privileges() { -#if defined(ALLOW_ADBD_ROOT) - char value[PROPERTY_VALUE_MAX]; - - // The properties that affect `adb root` and `adb unroot` are ro.secure and - // ro.debuggable. In this context the names don't make the expected behavior - // particularly obvious. - // - // ro.debuggable: - // Allowed to become root, but not necessarily the default. Set to 1 on - // eng and userdebug builds. - // - // ro.secure: - // Drop privileges by default. Set to 1 on userdebug and user builds. - property_get("ro.secure", value, "1"); - bool ro_secure = (strcmp(value, "1") == 0); - - property_get("ro.debuggable", value, ""); - bool ro_debuggable = (strcmp(value, "1") == 0); - - // Drop privileges if ro.secure is set... - bool drop = ro_secure; - - property_get("service.adb.root", value, ""); - bool adb_root = (strcmp(value, "1") == 0); - bool adb_unroot = (strcmp(value, "0") == 0); - - // ... except "adb root" lets you keep privileges in a debuggable build. - if (ro_debuggable && adb_root) { - drop = false; - } - - // ... and "adb unroot" lets you explicitly drop privileges. - if (adb_unroot) { - drop = true; - } - - return drop; -#else - return true; // "adb root" not allowed, always drop privileges. -#endif // ALLOW_ADBD_ROOT -} - -static void drop_privileges(int server_port) { - std::unique_ptr jail(minijail_new(), - &minijail_destroy); - - // Add extra groups: - // AID_ADB to access the USB driver - // AID_LOG to read system logs (adb logcat) - // AID_INPUT to diagnose input issues (getevent) - // AID_INET to diagnose network issues (ping) - // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump) - // AID_SDCARD_R to allow reading from the SD card - // AID_SDCARD_RW to allow writing to the SD card - // AID_NET_BW_STATS to read out qtaguid statistics - // AID_READPROC for reading /proc entries across UID boundaries - gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, - AID_INET, AID_NET_BT, AID_NET_BT_ADMIN, - AID_SDCARD_R, AID_SDCARD_RW, AID_NET_BW_STATS, - AID_READPROC}; - minijail_set_supplementary_gids(jail.get(), - sizeof(groups) / sizeof(groups[0]), - groups); - - // Don't listen on a port (default 5037) if running in secure mode. - // Don't run as root if running in secure mode. - if (should_drop_privileges()) { - drop_capabilities_bounding_set_if_needed(); - - minijail_change_gid(jail.get(), AID_SHELL); - minijail_change_uid(jail.get(), AID_SHELL); - // minijail_enter() will abort if any priv-dropping step fails. - minijail_enter(jail.get()); - - D("Local port disabled"); - } else { - // minijail_enter() will abort if any priv-dropping step fails. - minijail_enter(jail.get()); - - if (root_seclabel != nullptr) { - if (selinux_android_setcon(root_seclabel) < 0) { - LOG(FATAL) << "Could not set SELinux context"; - } - } - std::string error; - std::string local_name = - android::base::StringPrintf("tcp:%d", server_port); - if (install_listener(local_name, "*smartsocket*", nullptr, 0, - &error)) { - LOG(FATAL) << "Could not install *smartsocket* listener: " - << error; - } - } -} - int adbd_main(int server_port) { umask(0); @@ -186,8 +70,6 @@ int adbd_main(int server_port) { " unchanged.\n"); } - drop_privileges(server_port); - bool is_usb = false; if (access(USB_ADB_PATH, F_OK) == 0 || access(USB_FFS_ADB_EP0, F_OK) == 0) { // Listen on USB.