1/*
2**
3** Copyright 2010, The Android Open Source Project
4**
5** Licensed under the Apache License, Version 2.0 (the "License");
6** you may not use this file except in compliance with the License.
7** You may obtain a copy of the License at
8**
9**     http://www.apache.org/licenses/LICENSE-2.0
10**
11** Unless required by applicable law or agreed to in writing, software
12** distributed under the License is distributed on an "AS IS" BASIS,
13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14** See the License for the specific language governing permissions and
15** limitations under the License.
16*/
17
18#define PROGNAME "run-as"
19#define LOG_TAG  PROGNAME
20
21#include <dirent.h>
22#include <errno.h>
23#include <stdarg.h>
24#include <stdio.h>
25#include <stdlib.h>
26#include <string.h>
27#include <sys/capability.h>
28#include <sys/cdefs.h>
29#include <sys/stat.h>
30#include <sys/types.h>
31#include <time.h>
32#include <unistd.h>
33
34#include <private/android_filesystem_config.h>
35#include <selinux/android.h>
36
37#include "package.h"
38
39/*
40 *  WARNING WARNING WARNING WARNING
41 *
42 *  This program runs with CAP_SETUID and CAP_SETGID capabilities on Android
43 *  production devices. Be very conservative when modifying it to avoid any
44 *  serious security issue. Keep in mind the following:
45 *
46 *  - This program should only run for the 'root' or 'shell' users
47 *
48 *  - Avoid anything that is more complex than simple system calls
49 *    until the uid/gid has been dropped to that of a normal user
50 *    or you are sure to exit.
51 *
52 *    This avoids depending on environment variables, system properties
53 *    and other external factors that may affect the C library in
54 *    unpredictable ways.
55 *
56 *  - Do not trust user input and/or the filesystem whenever possible.
57 *
58 *  Read README.TXT for more details.
59 *
60 *
61 *
62 * The purpose of this program is to run a command as a specific
63 * application user-id. Typical usage is:
64 *
65 *   run-as <package-name> <command> <args>
66 *
67 *  The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
68 *  capabilities, but will check the following:
69 *
70 *  - that it is invoked from the 'shell' or 'root' user (abort otherwise)
71 *  - that '<package-name>' is the name of an installed and debuggable package
72 *  - that the package's data directory is well-formed (see package.c)
73 *
74 *  If so, it will drop to the application's user id / group id, cd to the
75 *  package's data directory, then run the command there.
76 *
77 *  NOTE: In the future it might not be possible to cd to the package's data
78 *  directory under that package's user id / group id, in which case this
79 *  utility will need to be changed accordingly.
80 *
81 *  This can be useful for a number of different things on production devices:
82 *
83 *  - Allow application developers to look at their own applicative data
84 *    during development.
85 *
86 *  - Run the 'gdbserver' binary executable to allow native debugging
87 */
88
89__noreturn static void
90panic(const char* format, ...)
91{
92    va_list args;
93    int e = errno;
94
95    fprintf(stderr, "%s: ", PROGNAME);
96    va_start(args, format);
97    vfprintf(stderr, format, args);
98    va_end(args);
99    exit(e ? -e : 1);
100}
101
102static void
103usage(void)
104{
105    panic("Usage:\n    " PROGNAME " <package-name> [--user <uid>] <command> [<args>]\n");
106}
107
108int main(int argc, char **argv)
109{
110    const char* pkgname;
111    uid_t myuid, uid, gid, userAppId = 0;
112    int commandArgvOfs = 2, userId = 0;
113    PackageInfo info;
114    struct __user_cap_header_struct capheader;
115    struct __user_cap_data_struct capdata[2];
116
117    /* check arguments */
118    if (argc < 2) {
119        usage();
120    }
121
122    /* check userid of caller - must be 'shell' or 'root' */
123    myuid = getuid();
124    if (myuid != AID_SHELL && myuid != AID_ROOT) {
125        panic("only 'shell' or 'root' users can run this program\n");
126    }
127
128    memset(&capheader, 0, sizeof(capheader));
129    memset(&capdata, 0, sizeof(capdata));
130    capheader.version = _LINUX_CAPABILITY_VERSION_3;
131    capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
132    capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
133    capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
134    capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
135
136    if (capset(&capheader, &capdata[0]) < 0) {
137        panic("Could not set capabilities: %s\n", strerror(errno));
138    }
139
140    pkgname = argv[1];
141
142    /* get user_id from command line if provided */
143    if ((argc >= 4) && !strcmp(argv[2], "--user")) {
144        userId = atoi(argv[3]);
145        if (userId < 0)
146            panic("Negative user id %d is provided\n", userId);
147        commandArgvOfs += 2;
148    }
149
150    /* retrieve package information from system (does setegid) */
151    if (get_package_info(pkgname, userId, &info) < 0) {
152        panic("Package '%s' is unknown\n", pkgname);
153    }
154
155    /* verify that user id is not too big. */
156    if ((UID_MAX - info.uid) / AID_USER < (uid_t)userId) {
157        panic("User id %d is too big\n", userId);
158    }
159
160    /* calculate user app ID. */
161    userAppId = (AID_USER * userId) + info.uid;
162
163    /* reject system packages */
164    if (userAppId < AID_APP) {
165        panic("Package '%s' is not an application\n", pkgname);
166    }
167
168    /* reject any non-debuggable package */
169    if (!info.isDebuggable) {
170        panic("Package '%s' is not debuggable\n", pkgname);
171    }
172
173    /* check that the data directory path is valid */
174    if (check_data_path(info.dataDir, userAppId) < 0) {
175        panic("Package '%s' has corrupt installation\n", pkgname);
176    }
177
178    /* Ensure that we change all real/effective/saved IDs at the
179     * same time to avoid nasty surprises.
180     */
181    uid = gid = userAppId;
182    if(setresgid(gid,gid,gid) || setresuid(uid,uid,uid)) {
183        panic("Permission denied\n");
184    }
185
186    /* Required if caller has uid and gid all non-zero */
187    memset(&capdata, 0, sizeof(capdata));
188    if (capset(&capheader, &capdata[0]) < 0) {
189        panic("Could not clear all capabilities: %s\n", strerror(errno));
190    }
191
192    if (selinux_android_setcontext(uid, 0, info.seinfo, pkgname) < 0) {
193        panic("Could not set SELinux security context: %s\n", strerror(errno));
194    }
195
196    /* cd into the data directory */
197    if (TEMP_FAILURE_RETRY(chdir(info.dataDir)) < 0) {
198        panic("Could not cd to package's data directory: %s\n", strerror(errno));
199    }
200
201    /* User specified command for exec. */
202    if ((argc >= commandArgvOfs + 1) &&
203        (execvp(argv[commandArgvOfs], argv+commandArgvOfs) < 0)) {
204        panic("exec failed for %s: %s\n", argv[commandArgvOfs], strerror(errno));
205    }
206
207    /* Default exec shell. */
208    execlp("/system/bin/sh", "sh", NULL);
209
210    panic("exec failed: %s\n", strerror(errno));
211}
212