Mark Salyzyn | 0175b07 | 2014-02-26 09:50:16 -0800 | [diff] [blame] | 1 | /* |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 2 | * Copyright (C) 2012-2014 The Android Open Source Project |
Mark Salyzyn | 0175b07 | 2014-02-26 09:50:16 -0800 | [diff] [blame] | 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 17 | #include <errno.h> |
| 18 | #include <stdio.h> |
| 19 | #include <stdlib.h> |
Mark Salyzyn | 801bcec | 2015-04-01 09:10:04 -0700 | [diff] [blame] | 20 | #include <string.h> |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 21 | |
| 22 | #include <private/android_filesystem_config.h> |
| 23 | |
Mark Salyzyn | 0175b07 | 2014-02-26 09:50:16 -0800 | [diff] [blame] | 24 | #include "LogCommand.h" |
Mark Salyzyn | 083b037 | 2015-12-04 10:59:45 -0800 | [diff] [blame] | 25 | #include "LogUtils.h" |
Mark Salyzyn | 0175b07 | 2014-02-26 09:50:16 -0800 | [diff] [blame] | 26 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 27 | LogCommand::LogCommand(const char* cmd) : FrameworkCommand(cmd) { |
Mark Salyzyn | 0175b07 | 2014-02-26 09:50:16 -0800 | [diff] [blame] | 28 | } |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 29 | |
| 30 | // gets a list of supplementary group IDs associated with |
| 31 | // the socket peer. This is implemented by opening |
| 32 | // /proc/PID/status and look for the "Group:" line. |
| 33 | // |
| 34 | // This function introduces races especially since status |
| 35 | // can change 'shape' while reading, the net result is err |
| 36 | // on lack of permission. |
| 37 | // |
| 38 | // Race-free alternative is to introduce pairs of sockets |
| 39 | // and threads for each command and reading, one each that |
| 40 | // has open permissions, and one that has restricted |
| 41 | // permissions. |
| 42 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 43 | static bool groupIsLog(char* buf) { |
| 44 | char* ptr; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 45 | static const char ws[] = " \n"; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 46 | |
| 47 | for (buf = strtok_r(buf, ws, &ptr); buf; buf = strtok_r(NULL, ws, &ptr)) { |
| 48 | errno = 0; |
| 49 | gid_t Gid = strtol(buf, NULL, 10); |
| 50 | if (errno != 0) { |
| 51 | return false; |
| 52 | } |
| 53 | if (Gid == AID_LOG) { |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 54 | return true; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 55 | } |
| 56 | } |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 57 | return false; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 58 | } |
| 59 | |
Mark Salyzyn | 083b037 | 2015-12-04 10:59:45 -0800 | [diff] [blame] | 60 | bool clientHasLogCredentials(uid_t uid, gid_t gid, pid_t pid) { |
| 61 | if ((uid == AID_ROOT) || (uid == AID_SYSTEM) || (uid == AID_LOG)) { |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 62 | return true; |
| 63 | } |
| 64 | |
Mark Salyzyn | 57a0af9 | 2014-05-09 17:44:18 -0700 | [diff] [blame] | 65 | if ((gid == AID_ROOT) || (gid == AID_SYSTEM) || (gid == AID_LOG)) { |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 66 | return true; |
| 67 | } |
| 68 | |
| 69 | // FYI We will typically be here for 'adb logcat' |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 70 | char filename[256]; |
Mark Salyzyn | 083b037 | 2015-12-04 10:59:45 -0800 | [diff] [blame] | 71 | snprintf(filename, sizeof(filename), "/proc/%u/status", pid); |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 72 | |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 73 | bool ret; |
| 74 | bool foundLog = false; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 75 | bool foundGid = false; |
| 76 | bool foundUid = false; |
| 77 | |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 78 | // |
| 79 | // Reading /proc/<pid>/status is rife with race conditions. All of /proc |
| 80 | // suffers from this and its use should be minimized. However, we have no |
| 81 | // choice. |
| 82 | // |
| 83 | // Notably the content from one 4KB page to the next 4KB page can be from a |
| 84 | // change in shape even if we are gracious enough to attempt to read |
| 85 | // atomically. getline can not even guarantee a page read is not split up |
| 86 | // and in effect can read from different vintages of the content. |
| 87 | // |
| 88 | // We are finding out in the field that a 'logcat -c' via adb occasionally |
| 89 | // is returned with permission denied when we did only one pass and thus |
| 90 | // breaking scripts. For security we still err on denying access if in |
| 91 | // doubt, but we expect the falses should be reduced significantly as |
| 92 | // three times is a charm. |
| 93 | // |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 94 | for (int retry = 3; !(ret = foundGid && foundUid && foundLog) && retry; |
| 95 | --retry) { |
| 96 | FILE* file = fopen(filename, "r"); |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 97 | if (!file) { |
| 98 | continue; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 99 | } |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 100 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 101 | char* line = NULL; |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 102 | size_t len = 0; |
| 103 | while (getline(&line, &len, file) > 0) { |
| 104 | static const char groups_string[] = "Groups:\t"; |
| 105 | static const char uid_string[] = "Uid:\t"; |
| 106 | static const char gid_string[] = "Gid:\t"; |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 107 | |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 108 | if (strncmp(groups_string, line, sizeof(groups_string) - 1) == 0) { |
| 109 | if (groupIsLog(line + sizeof(groups_string) - 1)) { |
| 110 | foundLog = true; |
| 111 | } |
| 112 | } else if (strncmp(uid_string, line, sizeof(uid_string) - 1) == 0) { |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 113 | uid_t u[4] = { (uid_t)-1, (uid_t)-1, (uid_t)-1, (uid_t)-1 }; |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 114 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 115 | sscanf(line + sizeof(uid_string) - 1, "%u\t%u\t%u\t%u", &u[0], |
| 116 | &u[1], &u[2], &u[3]); |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 117 | |
| 118 | // Protect against PID reuse by checking that UID is the same |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 119 | if ((uid == u[0]) && (uid == u[1]) && (uid == u[2]) && |
| 120 | (uid == u[3])) { |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 121 | foundUid = true; |
| 122 | } |
| 123 | } else if (strncmp(gid_string, line, sizeof(gid_string) - 1) == 0) { |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 124 | gid_t g[4] = { (gid_t)-1, (gid_t)-1, (gid_t)-1, (gid_t)-1 }; |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 125 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 126 | sscanf(line + sizeof(gid_string) - 1, "%u\t%u\t%u\t%u", &g[0], |
| 127 | &g[1], &g[2], &g[3]); |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 128 | |
| 129 | // Protect against PID reuse by checking that GID is the same |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 130 | if ((gid == g[0]) && (gid == g[1]) && (gid == g[2]) && |
| 131 | (gid == g[3])) { |
Mark Salyzyn | 86eb38f | 2015-09-01 08:40:39 -0700 | [diff] [blame] | 132 | foundGid = true; |
| 133 | } |
| 134 | } |
| 135 | } |
| 136 | free(line); |
| 137 | fclose(file); |
Mark Salyzyn | 1114f18 | 2014-02-21 13:54:07 -0800 | [diff] [blame] | 138 | } |
| 139 | |
| 140 | return ret; |
| 141 | } |
Mark Salyzyn | 083b037 | 2015-12-04 10:59:45 -0800 | [diff] [blame] | 142 | |
Mark Salyzyn | 501c373 | 2017-03-10 14:31:54 -0800 | [diff] [blame] | 143 | bool clientHasLogCredentials(SocketClient* cli) { |
Mark Salyzyn | 083b037 | 2015-12-04 10:59:45 -0800 | [diff] [blame] | 144 | return clientHasLogCredentials(cli->getUid(), cli->getGid(), cli->getPid()); |
| 145 | } |