diff options
Diffstat (limited to 'adb')
| -rw-r--r-- | adb/Android.mk | 16 | ||||
| -rw-r--r-- | adb/adb.h | 1 | ||||
| -rw-r--r-- | adb/adb_auth.h | 1 | ||||
| -rw-r--r-- | adb/adb_auth_host.c | 32 | ||||
| -rw-r--r-- | adb/commandline.c | 15 | ||||
| -rw-r--r-- | adb/disable_verity_service.c | 199 | ||||
| -rw-r--r-- | adb/remount_service.c | 34 | ||||
| -rw-r--r-- | adb/services.c | 2 | ||||
| -rw-r--r-- | adb/sysdeps_win32.c | 1 | ||||
| -rwxr-xr-x | adb/usb_vendors.c | 5 | ||||
| -rw-r--r-- | adb/usb_windows.c | 1 |
11 files changed, 297 insertions, 10 deletions
diff --git a/adb/Android.mk b/adb/Android.mk index 3828ed3..6271483 100644 --- a/adb/Android.mk +++ b/adb/Android.mk @@ -113,6 +113,7 @@ LOCAL_SRC_FILES := \ jdwp_service.c \ framebuffer_service.c \ remount_service.c \ + disable_verity_service.c \ usb_linux_client.c LOCAL_CFLAGS := \ @@ -127,14 +128,27 @@ ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1 endif +ifneq (,$(filter userdebug,$(TARGET_BUILD_VARIANT))) +LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1 +endif + LOCAL_MODULE := adbd LOCAL_FORCE_STATIC_EXECUTABLE := true LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT_SBIN) LOCAL_UNSTRIPPED_PATH := $(TARGET_ROOT_OUT_SBIN_UNSTRIPPED) +LOCAL_C_INCLUDES += system/extras/ext4_utils system/core/fs_mgr/include + +LOCAL_STATIC_LIBRARIES := liblog \ + libfs_mgr \ + libcutils \ + libc \ + libmincrypt \ + libselinux \ + libext4_utils_static -LOCAL_STATIC_LIBRARIES := liblog libcutils libc libmincrypt libselinux LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk + include $(BUILD_EXECUTABLE) @@ -329,6 +329,7 @@ int handle_forward_request(const char* service, transport_type ttype, char* seri #if !ADB_HOST void framebuffer_service(int fd, void *cookie); void remount_service(int fd, void *cookie); +void disable_verity_service(int fd, void* cookie); #endif /* packet allocator */ diff --git a/adb/adb_auth.h b/adb/adb_auth.h index b24c674..54dd537 100644 --- a/adb/adb_auth.h +++ b/adb/adb_auth.h @@ -18,6 +18,7 @@ #define __ADB_AUTH_H void adb_auth_init(void); +int adb_auth_keygen(const char* filename); void adb_auth_verified(atransport *t); void send_auth_request(atransport *t); diff --git a/adb/adb_auth_host.c b/adb/adb_auth_host.c index c72fe42..a859199 100644 --- a/adb/adb_auth_host.c +++ b/adb/adb_auth_host.c @@ -15,9 +15,12 @@ */ #include <stdio.h> +#include <stdlib.h> #ifdef _WIN32 -# define WIN32_LEAN_AND_MEAN +# ifndef WIN32_LEAN_AND_MEAN +# define WIN32_LEAN_AND_MEAN +# endif # include "windows.h" # include "shlobj.h" #else @@ -114,18 +117,34 @@ out: static void get_user_info(char *buf, size_t len) { char hostname[1024], username[1024]; - int ret; + int ret = -1; + + if (getenv("HOSTNAME") != NULL) { + strncpy(hostname, getenv("HOSTNAME"), sizeof(hostname)); + hostname[sizeof(hostname)-1] = '\0'; + ret = 0; + } #ifndef _WIN32 - ret = gethostname(hostname, sizeof(hostname)); if (ret < 0) + ret = gethostname(hostname, sizeof(hostname)); #endif + if (ret < 0) strcpy(hostname, "unknown"); + ret = -1; + + if (getenv("LOGNAME") != NULL) { + strncpy(username, getenv("LOGNAME"), sizeof(username)); + username[sizeof(username)-1] = '\0'; + ret = 0; + } + #if !defined _WIN32 && !defined ADB_HOST_ON_TARGET - ret = getlogin_r(username, sizeof(username)); if (ret < 0) + ret = getlogin_r(username, sizeof(username)); #endif + if (ret < 0) strcpy(username, "unknown"); ret = snprintf(buf, len, " %s@%s", username, hostname); @@ -436,6 +455,11 @@ int adb_auth_get_userkey(unsigned char *data, size_t len) return ret + 1; } +int adb_auth_keygen(const char* filename) { + adb_trace_mask |= (1 << TRACE_AUTH); + return (generate_key(filename) == 0); +} + void adb_auth_init(void) { int ret; diff --git a/adb/commandline.c b/adb/commandline.c index 23e9ea4..903b818 100644 --- a/adb/commandline.c +++ b/adb/commandline.c @@ -36,6 +36,7 @@ #define TRACE_TAG TRACE_ADB #include "adb.h" #include "adb_client.h" +#include "adb_auth.h" #include "file_sync_service.h" static int do_cmd(transport_type ttype, char* serial, char *cmd, ...); @@ -189,6 +190,10 @@ void help() "\n" " adb restore <file> - restore device contents from the <file> backup archive\n" "\n" + " adb disable-verity - disable dm-verity checking on USERDEBUG builds\n" + " adb keygen <file> - generate adb public/private key. The private key is stored in <file>,\n" + " and the public key is stored in <file>.pub. Any existing files\n" + " are overwritten.\n" " adb help - show this help message\n" " adb version - show version num\n" "\n" @@ -205,8 +210,7 @@ void help() " adb reboot-bootloader - reboots the device into the bootloader\n" " adb root - restarts the adbd daemon with root permissions\n" " adb usb - restarts the adbd daemon listening on USB\n" - " adb tcpip <port> - restarts the adbd daemon listening on TCP on the specified port" - "\n" + " adb tcpip <port> - restarts the adbd daemon listening on TCP on the specified port\n" "networking:\n" " adb ppp <tty> [parameters] - Run PPP over USB.\n" " Note: you should not automatically start a PPP connection.\n" @@ -1442,7 +1446,7 @@ top: if(!strcmp(argv[0], "remount") || !strcmp(argv[0], "reboot") || !strcmp(argv[0], "reboot-bootloader") || !strcmp(argv[0], "tcpip") || !strcmp(argv[0], "usb") - || !strcmp(argv[0], "root")) { + || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity")) { char command[100]; if (!strcmp(argv[0], "reboot-bootloader")) snprintf(command, sizeof(command), "reboot:bootloader"); @@ -1725,6 +1729,11 @@ top: return restore(argc, argv); } + if (!strcmp(argv[0], "keygen")) { + if (argc < 2) return usage(); + return adb_auth_keygen(argv[1]); + } + if (!strcmp(argv[0], "jdwp")) { int fd = adb_connect("jdwp"); if (fd >= 0) { diff --git a/adb/disable_verity_service.c b/adb/disable_verity_service.c new file mode 100644 index 0000000..ed3da52 --- /dev/null +++ b/adb/disable_verity_service.c @@ -0,0 +1,199 @@ +/* + * Copyright (C) 2014 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "sysdeps.h" + +#define TRACE_TAG TRACE_ADB +#include "adb.h" + +#include <stdio.h> +#include <stdarg.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <inttypes.h> + +#include "cutils/properties.h" +#include "ext4_sb.h" +#include <fs_mgr.h> + +#define FSTAB_PREFIX "/fstab." +struct fstab *fstab; + +__attribute__((__format__(printf, 2, 3))) __nonnull((2)) +static void write_console(int fd, const char* format, ...) +{ + char buffer[256]; + va_list args; + va_start (args, format); + vsnprintf (buffer, sizeof(buffer), format, args); + va_end (args); + + adb_write(fd, buffer, strnlen(buffer, sizeof(buffer))); +} + +static int get_target_device_size(int fd, const char *blk_device, + uint64_t *device_size) +{ + int data_device; + struct ext4_super_block sb; + struct fs_info info; + + info.len = 0; /* Only len is set to 0 to ask the device for real size. */ + + data_device = adb_open(blk_device, O_RDONLY | O_CLOEXEC); + if (data_device < 0) { + write_console(fd, "Error opening block device (%s)\n", strerror(errno)); + return -1; + } + + if (lseek64(data_device, 1024, SEEK_SET) < 0) { + write_console(fd, "Error seeking to superblock\n"); + adb_close(data_device); + return -1; + } + + if (adb_read(data_device, &sb, sizeof(sb)) != sizeof(sb)) { + write_console(fd, "Error reading superblock\n"); + adb_close(data_device); + return -1; + } + + ext4_parse_sb(&sb, &info); + *device_size = info.len; + + adb_close(data_device); + return 0; +} + +static int disable_verity(int fd, const char *block_device, + const char* mount_point) +{ + uint32_t magic_number; + const uint32_t voff = VERITY_METADATA_MAGIC_DISABLE; + uint64_t device_length; + int device; + int retval = -1; + + device = adb_open(block_device, O_RDWR | O_CLOEXEC); + if (device == -1) { + write_console(fd, "Could not open block device %s (%s).\n", + block_device, strerror(errno)); + write_console(fd, "Maybe run adb remount?\n"); + goto errout; + } + + // find the start of the verity metadata + if (get_target_device_size(fd, (char*)block_device, &device_length) < 0) { + write_console(fd, "Could not get target device size.\n"); + goto errout; + } + + if (lseek64(device, device_length, SEEK_SET) < 0) { + write_console(fd, + "Could not seek to start of verity metadata block.\n"); + goto errout; + } + + // check the magic number + if (adb_read(device, &magic_number, sizeof(magic_number)) + != sizeof(magic_number)) { + write_console(fd, "Couldn't read magic number!\n"); + goto errout; + } + + if (magic_number == VERITY_METADATA_MAGIC_DISABLE) { + write_console(fd, "Verity already disabled on %s\n", mount_point); + goto errout; + } + + if (magic_number != VERITY_METADATA_MAGIC_NUMBER) { + write_console(fd, + "Couldn't find verity metadata at offset %"PRIu64"!\n", + device_length); + goto errout; + } + + if (lseek64(device, device_length, SEEK_SET) < 0) { + write_console(fd, + "Could not seek to start of verity metadata block.\n"); + goto errout; + } + + if (adb_write(device, &voff, sizeof(voff)) != sizeof(voff)) { + write_console(fd, "Could not set verity disabled flag on device %s\n", + block_device); + goto errout; + } + + write_console(fd, "Verity disabled on %s\n", mount_point); + retval = 0; +errout: + if (device != -1) + adb_close(device); + return retval; +} + +void disable_verity_service(int fd, void* cookie) +{ +#ifdef ALLOW_ADBD_DISABLE_VERITY + char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; + char propbuf[PROPERTY_VALUE_MAX]; + int i; + bool any_disabled = false; + + property_get("ro.secure", propbuf, "0"); + if (strcmp(propbuf, "1")) { + write_console(fd, "verity not enabled - ENG build\n"); + goto errout; + } + + property_get("ro.debuggable", propbuf, "0"); + if (strcmp(propbuf, "1")) { + write_console(fd, "verity cannot be disabled - USER build\n"); + goto errout; + } + + property_get("ro.hardware", propbuf, ""); + snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", propbuf); + + fstab = fs_mgr_read_fstab(fstab_filename); + if (!fstab) { + write_console(fd, "Failed to open %s\nMaybe run adb root?\n", + fstab_filename); + goto errout; + } + + /* Loop through entries looking for ones that vold manages */ + for (i = 0; i < fstab->num_entries; i++) { + if(fs_mgr_is_verified(&fstab->recs[i])) { + if (!disable_verity(fd, fstab->recs[i].blk_device, + fstab->recs[i].mount_point)) { + any_disabled = true; + } + } + } + + if (any_disabled) { + write_console(fd, + "Now reboot your device for settings to take effect\n"); + } +#else + write_console(fd, "disable-verity only works for userdebug builds\n"); +#endif + +errout: + adb_close(fd); +} diff --git a/adb/remount_service.c b/adb/remount_service.c index 72d15a1..36367a7 100644 --- a/adb/remount_service.c +++ b/adb/remount_service.c @@ -14,6 +14,8 @@ * limitations under the License. */ +#include "sysdeps.h" + #include <errno.h> #include <fcntl.h> #include <stdio.h> @@ -22,7 +24,7 @@ #include <sys/mount.h> #include <unistd.h> -#include "sysdeps.h" +#include "cutils/properties.h" #define TRACE_TAG TRACE_ADB #include "adb.h" @@ -115,6 +117,36 @@ static void write_string(int fd, const char* str) void remount_service(int fd, void *cookie) { char buffer[200]; + char prop_buf[PROPERTY_VALUE_MAX]; + + bool system_verified = false, vendor_verified = false; + property_get("partition.system.verified", prop_buf, "0"); + if (!strcmp(prop_buf, "1")) { + system_verified = true; + } + + property_get("partition.vendor.verified", prop_buf, "0"); + if (!strcmp(prop_buf, "1")) { + vendor_verified = true; + } + + if (system_verified || vendor_verified) { + // Allow remount but warn of likely bad effects + bool both = system_verified && vendor_verified; + snprintf(buffer, sizeof(buffer), + "dm_verity is enabled on the %s%s%s partition%s.\n", + system_verified ? "system" : "", + both ? " and " : "", + vendor_verified ? "vendor" : "", + both ? "s" : ""); + write_string(fd, buffer); + snprintf(buffer, sizeof(buffer), + "Use \"adb disable-verity\" to disable verity.\n" + "If you do not, remount may succeed, however, you will still " + "not be able to write to these volumes.\n"); + write_string(fd, buffer); + } + if (remount("/system", &system_ro)) { snprintf(buffer, sizeof(buffer), "remount of system failed: %s\n",strerror(errno)); write_string(fd, buffer); diff --git a/adb/services.c b/adb/services.c index bcfc163..703aec8 100644 --- a/adb/services.c +++ b/adb/services.c @@ -469,6 +469,8 @@ int service_to_fd(const char *name) free(cookie); } } + } else if(!strncmp(name, "disable-verity:", 15)) { + ret = create_service_thread(disable_verity_service, NULL); #endif } if (ret >= 0) { diff --git a/adb/sysdeps_win32.c b/adb/sysdeps_win32.c index b082c6d..e69ec2b 100644 --- a/adb/sysdeps_win32.c +++ b/adb/sysdeps_win32.c @@ -2,6 +2,7 @@ #include <winsock2.h> #include <windows.h> #include <stdio.h> +#include <stdlib.h> #include <errno.h> #define TRACE_TAG TRACE_SYSDEPS #include "adb.h" diff --git a/adb/usb_vendors.c b/adb/usb_vendors.c index b037268..b6e43d5 100755 --- a/adb/usb_vendors.c +++ b/adb/usb_vendors.c @@ -17,9 +17,12 @@ #include "usb_vendors.h" #include <stdio.h> +#include <stdlib.h> #ifdef _WIN32 -# define WIN32_LEAN_AND_MEAN +# ifndef WIN32_LEAN_AND_MEAN +# define WIN32_LEAN_AND_MEAN +# endif # include "windows.h" # include "shlobj.h" #else diff --git a/adb/usb_windows.c b/adb/usb_windows.c index b7ad913..a2d7226 100644 --- a/adb/usb_windows.c +++ b/adb/usb_windows.c @@ -21,6 +21,7 @@ #include <usb100.h> #include <adb_api.h> #include <stdio.h> +#include <stdlib.h> #include "sysdeps.h" |