diff options
author | Nick Kralevich <nnk@google.com> | 2014-01-18 09:25:04 -0800 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-01-22 14:20:17 -0800 |
commit | d49aa2537cf0b454dfaa4b0312a403ebff202d70 (patch) | |
tree | 872758864bb935904df0daa6eb824b6bfec0f3da | |
parent | 1db584b899dffca884c3842c07da189f7c9af470 (diff) | |
download | system_core-d49aa2537cf0b454dfaa4b0312a403ebff202d70.zip system_core-d49aa2537cf0b454dfaa4b0312a403ebff202d70.tar.gz system_core-d49aa2537cf0b454dfaa4b0312a403ebff202d70.tar.bz2 |
adbd: switch to su domain when running as root
When adbd runs as root, it should transition into the
su domain. This is needed to run the adbd and shell
domains in enforcing on userdebug / eng devices without
breaking developer workflows.
Introduce a new device_banner command line option.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
-rw-r--r-- | adb/adb.c | 36 | ||||
-rw-r--r-- | rootdir/init.rc | 2 |
2 files changed, 30 insertions, 8 deletions
@@ -39,6 +39,8 @@ #include <sys/capability.h> #include <linux/prctl.h> #include <sys/mount.h> +#include <getopt.h> +#include <selinux/selinux.h> #else #include "usb_vendors.h" #endif @@ -54,6 +56,7 @@ static int auth_enabled = 0; #if !ADB_HOST static const char *adb_device_banner = "device"; +static const char *root_seclabel = NULL; #endif void fatal(const char *fmt, ...) @@ -1356,6 +1359,12 @@ int adb_main(int is_daemon, int server_port) D("Local port disabled\n"); } else { char local_name[30]; + if ((root_seclabel != NULL) && (is_selinux_enabled() > 0)) { + // b/12587913: fix setcon to allow const pointers + if (setcon((char *)root_seclabel) < 0) { + exit(1); + } + } build_local_name(local_name, sizeof(local_name), server_port); if(install_listener(local_name, "*smartsocket*", NULL, 0)) { exit(1); @@ -1642,10 +1651,6 @@ int handle_host_request(char *service, transport_type ttype, char* serial, int r return -1; } -#if !ADB_HOST -int recovery_mode = 0; -#endif - int main(int argc, char **argv) { #if ADB_HOST @@ -1657,9 +1662,26 @@ int main(int argc, char **argv) /* If adbd runs inside the emulator this will enable adb tracing via * adb-debug qemud service in the emulator. */ adb_qemu_trace_init(); - if((argc > 1) && (!strcmp(argv[1],"recovery"))) { - adb_device_banner = "recovery"; - recovery_mode = 1; + while(1) { + int c; + int option_index = 0; + static struct option opts[] = { + {"root_seclabel", required_argument, 0, 's' }, + {"device_banner", required_argument, 0, 'b' } + }; + c = getopt_long(argc, argv, "", opts, &option_index); + if (c == -1) + break; + switch (c) { + case 's': + root_seclabel = optarg; + break; + case 'b': + adb_device_banner = optarg; + break; + default: + break; + } } start_device_log(); diff --git a/rootdir/init.rc b/rootdir/init.rc index a66a2e4..a32366c 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -442,7 +442,7 @@ on property:ro.debuggable=1 start console # adbd is controlled via property triggers in init.<platform>.usb.rc -service adbd /sbin/adbd +service adbd /sbin/adbd --root_seclabel=u:r:su:s0 class core socket adbd stream 660 system system disabled |