0adea3b792
* commit '60fd3feecab4336d964ca8e31c7c3220e1afb558': Migrate CA certificates to all users
731 lines
22 KiB
C
731 lines
22 KiB
C
/*
|
|
** Copyright 2008, The Android Open Source Project
|
|
**
|
|
** Licensed under the Apache License, Version 2.0 (the "License");
|
|
** you may not use this file except in compliance with the License.
|
|
** You may obtain a copy of the License at
|
|
**
|
|
** http://www.apache.org/licenses/LICENSE-2.0
|
|
**
|
|
** Unless required by applicable law or agreed to in writing, software
|
|
** distributed under the License is distributed on an "AS IS" BASIS,
|
|
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
** See the License for the specific language governing permissions and
|
|
** limitations under the License.
|
|
*/
|
|
|
|
#include <sys/capability.h>
|
|
#include <sys/prctl.h>
|
|
#include <selinux/android.h>
|
|
#include <selinux/avc.h>
|
|
|
|
#include "installd.h"
|
|
|
|
|
|
#define BUFFER_MAX 1024 /* input buffer for commands */
|
|
#define TOKEN_MAX 8 /* max number of arguments in buffer */
|
|
#define REPLY_MAX 256 /* largest reply allowed */
|
|
|
|
static int do_ping(char **arg __unused, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static int do_install(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return install(arg[0], atoi(arg[1]), atoi(arg[2]), arg[3]); /* pkgname, uid, gid, seinfo */
|
|
}
|
|
|
|
static int do_dexopt(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
/* apk_path, uid, is_public, pkgname, instruction_set, vm_safe_mode, should_relocate */
|
|
return dexopt(arg[0], atoi(arg[1]), atoi(arg[2]), arg[3], arg[4], atoi(arg[5]), 0);
|
|
}
|
|
|
|
static int do_move_dex(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return move_dex(arg[0], arg[1], arg[2]); /* src, dst, instruction_set */
|
|
}
|
|
|
|
static int do_rm_dex(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return rm_dex(arg[0], arg[1]); /* pkgname, instruction_set */
|
|
}
|
|
|
|
static int do_remove(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return uninstall(arg[0], atoi(arg[1])); /* pkgname, userid */
|
|
}
|
|
|
|
static int do_rename(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return renamepkg(arg[0], arg[1]); /* oldpkgname, newpkgname */
|
|
}
|
|
|
|
static int do_fixuid(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return fix_uid(arg[0], atoi(arg[1]), atoi(arg[2])); /* pkgname, uid, gid */
|
|
}
|
|
|
|
static int do_free_cache(char **arg, char reply[REPLY_MAX] __unused) /* TODO int:free_size */
|
|
{
|
|
return free_cache((int64_t)atoll(arg[0])); /* free_size */
|
|
}
|
|
|
|
static int do_rm_cache(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return delete_cache(arg[0], atoi(arg[1])); /* pkgname, userid */
|
|
}
|
|
|
|
static int do_rm_code_cache(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return delete_code_cache(arg[0], atoi(arg[1])); /* pkgname, userid */
|
|
}
|
|
|
|
static int do_get_size(char **arg, char reply[REPLY_MAX])
|
|
{
|
|
int64_t codesize = 0;
|
|
int64_t datasize = 0;
|
|
int64_t cachesize = 0;
|
|
int64_t asecsize = 0;
|
|
int res = 0;
|
|
|
|
/* pkgdir, userid, apkpath */
|
|
res = get_size(arg[0], atoi(arg[1]), arg[2], arg[3], arg[4], arg[5],
|
|
arg[6], &codesize, &datasize, &cachesize, &asecsize);
|
|
|
|
/*
|
|
* Each int64_t can take up 22 characters printed out. Make sure it
|
|
* doesn't go over REPLY_MAX in the future.
|
|
*/
|
|
snprintf(reply, REPLY_MAX, "%" PRId64 " %" PRId64 " %" PRId64 " %" PRId64,
|
|
codesize, datasize, cachesize, asecsize);
|
|
return res;
|
|
}
|
|
|
|
static int do_rm_user_data(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return delete_user_data(arg[0], atoi(arg[1])); /* pkgname, userid */
|
|
}
|
|
|
|
static int do_mk_user_data(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return make_user_data(arg[0], atoi(arg[1]), atoi(arg[2]), arg[3]);
|
|
/* pkgname, uid, userid, seinfo */
|
|
}
|
|
|
|
static int do_mk_user_config(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return make_user_config(atoi(arg[0])); /* userid */
|
|
}
|
|
|
|
static int do_rm_user(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return delete_user(atoi(arg[0])); /* userid */
|
|
}
|
|
|
|
static int do_movefiles(char **arg __unused, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return movefiles();
|
|
}
|
|
|
|
static int do_linklib(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return linklib(arg[0], arg[1], atoi(arg[2]));
|
|
}
|
|
|
|
static int do_idmap(char **arg, char reply[REPLY_MAX] __unused)
|
|
{
|
|
return idmap(arg[0], arg[1], atoi(arg[2]));
|
|
}
|
|
|
|
static int do_restorecon_data(char **arg, char reply[REPLY_MAX] __attribute__((unused)))
|
|
{
|
|
return restorecon_data(arg[0], arg[1], atoi(arg[2]));
|
|
/* pkgName, seinfo, uid*/
|
|
}
|
|
|
|
static int do_patchoat(char **arg, char reply[REPLY_MAX] __unused) {
|
|
/* apk_path, uid, is_public, pkgname, instruction_set, vm_safe_mode, should_relocate */
|
|
return dexopt(arg[0], atoi(arg[1]), atoi(arg[2]), arg[3], arg[4], 0, 1);
|
|
}
|
|
|
|
struct cmdinfo {
|
|
const char *name;
|
|
unsigned numargs;
|
|
int (*func)(char **arg, char reply[REPLY_MAX]);
|
|
};
|
|
|
|
struct cmdinfo cmds[] = {
|
|
{ "ping", 0, do_ping },
|
|
{ "install", 4, do_install },
|
|
{ "dexopt", 6, do_dexopt },
|
|
{ "movedex", 3, do_move_dex },
|
|
{ "rmdex", 2, do_rm_dex },
|
|
{ "remove", 2, do_remove },
|
|
{ "rename", 2, do_rename },
|
|
{ "fixuid", 3, do_fixuid },
|
|
{ "freecache", 1, do_free_cache },
|
|
{ "rmcache", 2, do_rm_cache },
|
|
{ "rmcodecache", 2, do_rm_code_cache },
|
|
{ "getsize", 7, do_get_size },
|
|
{ "rmuserdata", 2, do_rm_user_data },
|
|
{ "movefiles", 0, do_movefiles },
|
|
{ "linklib", 3, do_linklib },
|
|
{ "mkuserdata", 4, do_mk_user_data },
|
|
{ "mkuserconfig", 1, do_mk_user_config },
|
|
{ "rmuser", 1, do_rm_user },
|
|
{ "idmap", 3, do_idmap },
|
|
{ "restorecondata", 3, do_restorecon_data },
|
|
{ "patchoat", 5, do_patchoat },
|
|
};
|
|
|
|
static int readx(int s, void *_buf, int count)
|
|
{
|
|
char *buf = _buf;
|
|
int n = 0, r;
|
|
if (count < 0) return -1;
|
|
while (n < count) {
|
|
r = read(s, buf + n, count - n);
|
|
if (r < 0) {
|
|
if (errno == EINTR) continue;
|
|
ALOGE("read error: %s\n", strerror(errno));
|
|
return -1;
|
|
}
|
|
if (r == 0) {
|
|
ALOGE("eof\n");
|
|
return -1; /* EOF */
|
|
}
|
|
n += r;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int writex(int s, const void *_buf, int count)
|
|
{
|
|
const char *buf = _buf;
|
|
int n = 0, r;
|
|
if (count < 0) return -1;
|
|
while (n < count) {
|
|
r = write(s, buf + n, count - n);
|
|
if (r < 0) {
|
|
if (errno == EINTR) continue;
|
|
ALOGE("write error: %s\n", strerror(errno));
|
|
return -1;
|
|
}
|
|
n += r;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
/* Tokenize the command buffer, locate a matching command,
|
|
* ensure that the required number of arguments are provided,
|
|
* call the function(), return the result.
|
|
*/
|
|
static int execute(int s, char cmd[BUFFER_MAX])
|
|
{
|
|
char reply[REPLY_MAX];
|
|
char *arg[TOKEN_MAX+1];
|
|
unsigned i;
|
|
unsigned n = 0;
|
|
unsigned short count;
|
|
int ret = -1;
|
|
|
|
// ALOGI("execute('%s')\n", cmd);
|
|
|
|
/* default reply is "" */
|
|
reply[0] = 0;
|
|
|
|
/* n is number of args (not counting arg[0]) */
|
|
arg[0] = cmd;
|
|
while (*cmd) {
|
|
if (isspace(*cmd)) {
|
|
*cmd++ = 0;
|
|
n++;
|
|
arg[n] = cmd;
|
|
if (n == TOKEN_MAX) {
|
|
ALOGE("too many arguments\n");
|
|
goto done;
|
|
}
|
|
}
|
|
cmd++;
|
|
}
|
|
|
|
for (i = 0; i < sizeof(cmds) / sizeof(cmds[0]); i++) {
|
|
if (!strcmp(cmds[i].name,arg[0])) {
|
|
if (n != cmds[i].numargs) {
|
|
ALOGE("%s requires %d arguments (%d given)\n",
|
|
cmds[i].name, cmds[i].numargs, n);
|
|
} else {
|
|
ret = cmds[i].func(arg + 1, reply);
|
|
}
|
|
goto done;
|
|
}
|
|
}
|
|
ALOGE("unsupported command '%s'\n", arg[0]);
|
|
|
|
done:
|
|
if (reply[0]) {
|
|
n = snprintf(cmd, BUFFER_MAX, "%d %s", ret, reply);
|
|
} else {
|
|
n = snprintf(cmd, BUFFER_MAX, "%d", ret);
|
|
}
|
|
if (n > BUFFER_MAX) n = BUFFER_MAX;
|
|
count = n;
|
|
|
|
// ALOGI("reply: '%s'\n", cmd);
|
|
if (writex(s, &count, sizeof(count))) return -1;
|
|
if (writex(s, cmd, count)) return -1;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Initialize all the global variables that are used elsewhere. Returns 0 upon
|
|
* success and -1 on error.
|
|
*/
|
|
void free_globals() {
|
|
size_t i;
|
|
|
|
for (i = 0; i < android_system_dirs.count; i++) {
|
|
if (android_system_dirs.dirs[i].path != NULL) {
|
|
free(android_system_dirs.dirs[i].path);
|
|
}
|
|
}
|
|
|
|
free(android_system_dirs.dirs);
|
|
}
|
|
|
|
int initialize_globals() {
|
|
// Get the android data directory.
|
|
if (get_path_from_env(&android_data_dir, "ANDROID_DATA") < 0) {
|
|
return -1;
|
|
}
|
|
|
|
// Get the android app directory.
|
|
if (copy_and_append(&android_app_dir, &android_data_dir, APP_SUBDIR) < 0) {
|
|
return -1;
|
|
}
|
|
|
|
// Get the android protected app directory.
|
|
if (copy_and_append(&android_app_private_dir, &android_data_dir, PRIVATE_APP_SUBDIR) < 0) {
|
|
return -1;
|
|
}
|
|
|
|
// Get the android app native library directory.
|
|
if (copy_and_append(&android_app_lib_dir, &android_data_dir, APP_LIB_SUBDIR) < 0) {
|
|
return -1;
|
|
}
|
|
|
|
// Get the sd-card ASEC mount point.
|
|
if (get_path_from_env(&android_asec_dir, "ASEC_MOUNTPOINT") < 0) {
|
|
return -1;
|
|
}
|
|
|
|
// Get the android media directory.
|
|
if (copy_and_append(&android_media_dir, &android_data_dir, MEDIA_SUBDIR) < 0) {
|
|
return -1;
|
|
}
|
|
|
|
// Take note of the system and vendor directories.
|
|
android_system_dirs.count = 4;
|
|
|
|
android_system_dirs.dirs = calloc(android_system_dirs.count, sizeof(dir_rec_t));
|
|
if (android_system_dirs.dirs == NULL) {
|
|
ALOGE("Couldn't allocate array for dirs; aborting\n");
|
|
return -1;
|
|
}
|
|
|
|
dir_rec_t android_root_dir;
|
|
if (get_path_from_env(&android_root_dir, "ANDROID_ROOT") < 0) {
|
|
ALOGE("Missing ANDROID_ROOT; aborting\n");
|
|
return -1;
|
|
}
|
|
|
|
android_system_dirs.dirs[0].path = build_string2(android_root_dir.path, APP_SUBDIR);
|
|
android_system_dirs.dirs[0].len = strlen(android_system_dirs.dirs[0].path);
|
|
|
|
android_system_dirs.dirs[1].path = build_string2(android_root_dir.path, PRIV_APP_SUBDIR);
|
|
android_system_dirs.dirs[1].len = strlen(android_system_dirs.dirs[1].path);
|
|
|
|
android_system_dirs.dirs[2].path = "/vendor/app/";
|
|
android_system_dirs.dirs[2].len = strlen(android_system_dirs.dirs[2].path);
|
|
|
|
android_system_dirs.dirs[3].path = "/oem/app/";
|
|
android_system_dirs.dirs[3].len = strlen(android_system_dirs.dirs[3].path);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int initialize_directories() {
|
|
int res = -1;
|
|
|
|
// Read current filesystem layout version to handle upgrade paths
|
|
char version_path[PATH_MAX];
|
|
snprintf(version_path, PATH_MAX, "%s.layout_version", android_data_dir.path);
|
|
|
|
int oldVersion;
|
|
if (fs_read_atomic_int(version_path, &oldVersion) == -1) {
|
|
oldVersion = 0;
|
|
}
|
|
int version = oldVersion;
|
|
|
|
// /data/user
|
|
char *user_data_dir = build_string2(android_data_dir.path, SECONDARY_USER_PREFIX);
|
|
// /data/data
|
|
char *legacy_data_dir = build_string2(android_data_dir.path, PRIMARY_USER_PREFIX);
|
|
// /data/user/0
|
|
char *primary_data_dir = build_string3(android_data_dir.path, SECONDARY_USER_PREFIX, "0");
|
|
if (!user_data_dir || !legacy_data_dir || !primary_data_dir) {
|
|
goto fail;
|
|
}
|
|
|
|
// Make the /data/user directory if necessary
|
|
if (access(user_data_dir, R_OK) < 0) {
|
|
if (mkdir(user_data_dir, 0711) < 0) {
|
|
goto fail;
|
|
}
|
|
if (chown(user_data_dir, AID_SYSTEM, AID_SYSTEM) < 0) {
|
|
goto fail;
|
|
}
|
|
if (chmod(user_data_dir, 0711) < 0) {
|
|
goto fail;
|
|
}
|
|
}
|
|
// Make the /data/user/0 symlink to /data/data if necessary
|
|
if (access(primary_data_dir, R_OK) < 0) {
|
|
if (symlink(legacy_data_dir, primary_data_dir)) {
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
if (version == 0) {
|
|
// Introducing multi-user, so migrate /data/media contents into /data/media/0
|
|
ALOGD("Upgrading /data/media for multi-user");
|
|
|
|
// Ensure /data/media
|
|
if (fs_prepare_dir(android_media_dir.path, 0770, AID_MEDIA_RW, AID_MEDIA_RW) == -1) {
|
|
goto fail;
|
|
}
|
|
|
|
// /data/media.tmp
|
|
char media_tmp_dir[PATH_MAX];
|
|
snprintf(media_tmp_dir, PATH_MAX, "%smedia.tmp", android_data_dir.path);
|
|
|
|
// Only copy when upgrade not already in progress
|
|
if (access(media_tmp_dir, F_OK) == -1) {
|
|
if (rename(android_media_dir.path, media_tmp_dir) == -1) {
|
|
ALOGE("Failed to move legacy media path: %s", strerror(errno));
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
// Create /data/media again
|
|
if (fs_prepare_dir(android_media_dir.path, 0770, AID_MEDIA_RW, AID_MEDIA_RW) == -1) {
|
|
goto fail;
|
|
}
|
|
|
|
if (selinux_android_restorecon(android_media_dir.path, 0)) {
|
|
goto fail;
|
|
}
|
|
|
|
// /data/media/0
|
|
char owner_media_dir[PATH_MAX];
|
|
snprintf(owner_media_dir, PATH_MAX, "%s0", android_media_dir.path);
|
|
|
|
// Move any owner data into place
|
|
if (access(media_tmp_dir, F_OK) == 0) {
|
|
if (rename(media_tmp_dir, owner_media_dir) == -1) {
|
|
ALOGE("Failed to move owner media path: %s", strerror(errno));
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
// Ensure media directories for any existing users
|
|
DIR *dir;
|
|
struct dirent *dirent;
|
|
char user_media_dir[PATH_MAX];
|
|
|
|
dir = opendir(user_data_dir);
|
|
if (dir != NULL) {
|
|
while ((dirent = readdir(dir))) {
|
|
if (dirent->d_type == DT_DIR) {
|
|
const char *name = dirent->d_name;
|
|
|
|
// skip "." and ".."
|
|
if (name[0] == '.') {
|
|
if (name[1] == 0) continue;
|
|
if ((name[1] == '.') && (name[2] == 0)) continue;
|
|
}
|
|
|
|
// /data/media/<user_id>
|
|
snprintf(user_media_dir, PATH_MAX, "%s%s", android_media_dir.path, name);
|
|
if (fs_prepare_dir(user_media_dir, 0770, AID_MEDIA_RW, AID_MEDIA_RW) == -1) {
|
|
goto fail;
|
|
}
|
|
}
|
|
}
|
|
closedir(dir);
|
|
}
|
|
|
|
version = 1;
|
|
}
|
|
|
|
// /data/media/obb
|
|
char media_obb_dir[PATH_MAX];
|
|
snprintf(media_obb_dir, PATH_MAX, "%sobb", android_media_dir.path);
|
|
|
|
if (version == 1) {
|
|
// Introducing /data/media/obb for sharing OBB across users; migrate
|
|
// any existing OBB files from owner.
|
|
ALOGD("Upgrading to shared /data/media/obb");
|
|
|
|
// /data/media/0/Android/obb
|
|
char owner_obb_path[PATH_MAX];
|
|
snprintf(owner_obb_path, PATH_MAX, "%s0/Android/obb", android_media_dir.path);
|
|
|
|
// Only move if target doesn't already exist
|
|
if (access(media_obb_dir, F_OK) != 0 && access(owner_obb_path, F_OK) == 0) {
|
|
if (rename(owner_obb_path, media_obb_dir) == -1) {
|
|
ALOGE("Failed to move OBB from owner: %s", strerror(errno));
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
version = 2;
|
|
}
|
|
|
|
if (ensure_media_user_dirs(0) == -1) {
|
|
ALOGE("Failed to setup media for user 0");
|
|
goto fail;
|
|
}
|
|
if (fs_prepare_dir(media_obb_dir, 0770, AID_MEDIA_RW, AID_MEDIA_RW) == -1) {
|
|
goto fail;
|
|
}
|
|
|
|
if (ensure_config_user_dirs(0) == -1) {
|
|
ALOGE("Failed to setup misc for user 0");
|
|
goto fail;
|
|
}
|
|
|
|
if (version == 2) {
|
|
ALOGD("Upgrading to /data/misc/user directories");
|
|
|
|
char misc_dir[PATH_MAX];
|
|
snprintf(misc_dir, PATH_MAX, "%smisc", android_data_dir.path);
|
|
|
|
char keychain_added_dir[PATH_MAX];
|
|
snprintf(keychain_added_dir, PATH_MAX, "%s/keychain/cacerts-added", misc_dir);
|
|
|
|
char keychain_removed_dir[PATH_MAX];
|
|
snprintf(keychain_removed_dir, PATH_MAX, "%s/keychain/cacerts-removed", misc_dir);
|
|
|
|
DIR *dir;
|
|
struct dirent *dirent;
|
|
dir = opendir(user_data_dir);
|
|
if (dir != NULL) {
|
|
while ((dirent = readdir(dir))) {
|
|
const char *name = dirent->d_name;
|
|
|
|
// skip "." and ".."
|
|
if (name[0] == '.') {
|
|
if (name[1] == 0) continue;
|
|
if ((name[1] == '.') && (name[2] == 0)) continue;
|
|
}
|
|
|
|
uint32_t user_id = atoi(name);
|
|
|
|
// /data/misc/user/<user_id>
|
|
if (ensure_config_user_dirs(user_id) == -1) {
|
|
goto fail;
|
|
}
|
|
|
|
char misc_added_dir[PATH_MAX];
|
|
snprintf(misc_added_dir, PATH_MAX, "%s/user/%s/cacerts-added", misc_dir, name);
|
|
|
|
char misc_removed_dir[PATH_MAX];
|
|
snprintf(misc_removed_dir, PATH_MAX, "%s/user/%s/cacerts-removed", misc_dir, name);
|
|
|
|
uid_t uid = multiuser_get_uid(user_id, AID_SYSTEM);
|
|
gid_t gid = uid;
|
|
if (access(keychain_added_dir, F_OK) == 0) {
|
|
if (copy_dir_files(keychain_added_dir, misc_added_dir, uid, gid) != 0) {
|
|
ALOGE("Some files failed to copy");
|
|
}
|
|
}
|
|
if (access(keychain_removed_dir, F_OK) == 0) {
|
|
if (copy_dir_files(keychain_removed_dir, misc_removed_dir, uid, gid) != 0) {
|
|
ALOGE("Some files failed to copy");
|
|
}
|
|
}
|
|
}
|
|
closedir(dir);
|
|
|
|
if (access(keychain_added_dir, F_OK) == 0) {
|
|
delete_dir_contents(keychain_added_dir, 1, 0);
|
|
}
|
|
if (access(keychain_removed_dir, F_OK) == 0) {
|
|
delete_dir_contents(keychain_removed_dir, 1, 0);
|
|
}
|
|
}
|
|
|
|
version = 3;
|
|
}
|
|
|
|
// Persist layout version if changed
|
|
if (version != oldVersion) {
|
|
if (fs_write_atomic_int(version_path, version) == -1) {
|
|
ALOGE("Failed to save version to %s: %s", version_path, strerror(errno));
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
// Success!
|
|
res = 0;
|
|
|
|
fail:
|
|
free(user_data_dir);
|
|
free(legacy_data_dir);
|
|
free(primary_data_dir);
|
|
return res;
|
|
}
|
|
|
|
static void drop_privileges() {
|
|
if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
|
|
ALOGE("prctl(PR_SET_KEEPCAPS) failed: %s\n", strerror(errno));
|
|
exit(1);
|
|
}
|
|
|
|
if (setgid(AID_INSTALL) < 0) {
|
|
ALOGE("setgid() can't drop privileges; exiting.\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (setuid(AID_INSTALL) < 0) {
|
|
ALOGE("setuid() can't drop privileges; exiting.\n");
|
|
exit(1);
|
|
}
|
|
|
|
struct __user_cap_header_struct capheader;
|
|
struct __user_cap_data_struct capdata[2];
|
|
memset(&capheader, 0, sizeof(capheader));
|
|
memset(&capdata, 0, sizeof(capdata));
|
|
capheader.version = _LINUX_CAPABILITY_VERSION_3;
|
|
capheader.pid = 0;
|
|
|
|
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].permitted |= CAP_TO_MASK(CAP_DAC_OVERRIDE);
|
|
capdata[CAP_TO_INDEX(CAP_CHOWN)].permitted |= CAP_TO_MASK(CAP_CHOWN);
|
|
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
|
|
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
|
|
capdata[CAP_TO_INDEX(CAP_FOWNER)].permitted |= CAP_TO_MASK(CAP_FOWNER);
|
|
|
|
capdata[0].effective = capdata[0].permitted;
|
|
capdata[1].effective = capdata[1].permitted;
|
|
capdata[0].inheritable = 0;
|
|
capdata[1].inheritable = 0;
|
|
|
|
if (capset(&capheader, &capdata[0]) < 0) {
|
|
ALOGE("capset failed: %s\n", strerror(errno));
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
static int log_callback(int type, const char *fmt, ...) {
|
|
va_list ap;
|
|
int priority;
|
|
|
|
switch (type) {
|
|
case SELINUX_WARNING:
|
|
priority = ANDROID_LOG_WARN;
|
|
break;
|
|
case SELINUX_INFO:
|
|
priority = ANDROID_LOG_INFO;
|
|
break;
|
|
default:
|
|
priority = ANDROID_LOG_ERROR;
|
|
break;
|
|
}
|
|
va_start(ap, fmt);
|
|
LOG_PRI_VA(priority, "SELinux", fmt, ap);
|
|
va_end(ap);
|
|
return 0;
|
|
}
|
|
|
|
int main(const int argc __unused, const char *argv[] __unused) {
|
|
char buf[BUFFER_MAX];
|
|
struct sockaddr addr;
|
|
socklen_t alen;
|
|
int lsocket, s;
|
|
int selinux_enabled = (is_selinux_enabled() > 0);
|
|
|
|
ALOGI("installd firing up\n");
|
|
|
|
union selinux_callback cb;
|
|
cb.func_log = log_callback;
|
|
selinux_set_callback(SELINUX_CB_LOG, cb);
|
|
|
|
if (initialize_globals() < 0) {
|
|
ALOGE("Could not initialize globals; exiting.\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (initialize_directories() < 0) {
|
|
ALOGE("Could not create directories; exiting.\n");
|
|
exit(1);
|
|
}
|
|
|
|
if (selinux_enabled && selinux_status_open(true) < 0) {
|
|
ALOGE("Could not open selinux status; exiting.\n");
|
|
exit(1);
|
|
}
|
|
|
|
drop_privileges();
|
|
|
|
lsocket = android_get_control_socket(SOCKET_PATH);
|
|
if (lsocket < 0) {
|
|
ALOGE("Failed to get socket from environment: %s\n", strerror(errno));
|
|
exit(1);
|
|
}
|
|
if (listen(lsocket, 5)) {
|
|
ALOGE("Listen on socket failed: %s\n", strerror(errno));
|
|
exit(1);
|
|
}
|
|
fcntl(lsocket, F_SETFD, FD_CLOEXEC);
|
|
|
|
for (;;) {
|
|
alen = sizeof(addr);
|
|
s = accept(lsocket, &addr, &alen);
|
|
if (s < 0) {
|
|
ALOGE("Accept failed: %s\n", strerror(errno));
|
|
continue;
|
|
}
|
|
fcntl(s, F_SETFD, FD_CLOEXEC);
|
|
|
|
ALOGI("new connection\n");
|
|
for (;;) {
|
|
unsigned short count;
|
|
if (readx(s, &count, sizeof(count))) {
|
|
ALOGE("failed to read size\n");
|
|
break;
|
|
}
|
|
if ((count < 1) || (count >= BUFFER_MAX)) {
|
|
ALOGE("invalid size %d\n", count);
|
|
break;
|
|
}
|
|
if (readx(s, buf, count)) {
|
|
ALOGE("failed to read command\n");
|
|
break;
|
|
}
|
|
buf[count] = 0;
|
|
if (selinux_enabled && selinux_status_updated() > 0) {
|
|
selinux_android_seapp_context_reload();
|
|
}
|
|
if (execute(s, buf)) break;
|
|
}
|
|
ALOGI("closing connection\n");
|
|
close(s);
|
|
}
|
|
|
|
return 0;
|
|
}
|