| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
package.c gets string.h inherited from
private/android_filesystem_config.h it should
not rely on this in the future. The intent is
to move fs_config function into libcutils and
thus deprecate any need for string.h in this
include file.
Bug: 19908228
Change-Id: I5db6d0a88c5b1eb9f582284e9bdd220c096ea69a
|
|
|
|
|
|
|
|
|
|
| |
- do not assume that caller has granted effective bits in capabilities
- only elevate capabilities when needed
- suppress capabilities before exec when called as shell,shell,shell
- some Android coding standard cleanup
Bug: 19908228
Change-Id: Ibe3d1c1a0fdcb54c41d7a72395e50ad749df98ce
|
|
|
|
|
| |
- pointer to integer comparison.
Change-Id: I4a12c357ff5eaf2fc08c19c9efe7e2d7cb0dbe2e
|
|
|
|
|
|
| |
- remove an abandoned code fragment
Change-Id: I32d4ad820772685c680d200dc00ef11d102c76bd
|
|\
| |
| |
| |
| | |
* commit 'aed27f8018e4365aa52a5dd8e89c4db2df0273c5':
Fix run-as which was broken in Android 4.3
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In Android 4.3 the run-as binary no longer has the SUID/SGID bits
set. Instead, it requires to be installed with setuid and setgid
file-based capabilities. As a result of the above two changes, the
binary no longer executes as root when invoked by the "shell" user
but can still change its UID/GID to that of the target package.
Unfortunately, run-as attempts to chdir into the target package's
data directory before changing its effective UID/GID. As a result,
when run-as is invoked by the "shell" user, the chdir operation
fails.
The fix is for run-as to chdir after changing the effective UID/GID
to those of the target package.
Bug: 10154652
(cherry picked from commit f2904a7b63c2005ab588a9ba2fb309e73200ec81)
Change-Id: I0f6cb9efd49f5c2c491f7aa1d614d700a5ec2304
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The group ownership of the package database
/data/system/packages.list read by run-as was changed in
977a9f3b1a05e6168e8245a1e2061225b68b2b41 from "system" to
"package_info". run-as currently changes its effective group to
"system" and is thus unable to read the database.
This CL fixes the issue by making run-as change its effective group
to "package_info" for reading the package database.
Bug: 10411916
Change-Id: Id23059bfb5b43264824917873a31c287f057ce4e
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The legacy internal layout places users at the top-level of the
filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested.
Mirror single OBB directory between all users without requiring fancy
bind mounts by letting a nodes graft in another part of the
underlying tree.
Move to everything having "sdcard_r" GID by default, and verify that
calling apps hold "sdcard_rw" when performing mutations. Determines
app group membership from new packages.list column.
Flag to optionally enable sdcard_pics/sdcard_av permissions
splitting. Flag to supply a default GID for all files. Ignore
attempts to access security sensitive files. Fix run-as to check for
new "package_info" GID.
Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
|
|\
| |
| |
| |
| |
| |
| | |
pass to libselinux."
* commit 'f19e045c58dafbdc46e848ec5a5c935f472dea34':
run-as: Get seinfo from packages.list and pass to libselinux.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change allows the proper seinfo value to be passed
to libselinux to switch to the proper app security
context before running the shell.
Change-Id: I9d7ea47c920b1bc09a19008345ed7fd0aa426e87
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|\ \
| |/
| |
| |
| | |
* commit 'af4ececc7bd10aec1240acfbfe7756ab8ee16883':
run-as: set the SELinux security context.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before invoking the specified command or a shell, set the
SELinux security context.
Change-Id: Ifc7f91aed9d298290b95d771484b322ed7a4c594
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
run-as: don't require CAP_DAC_OVERRIDE.
Prevent an adb spawned application from acquiring capabilities
other than
* CAP_NET_RAW
* CAP_SETUID
* CAP_SETGID
The only privileged programs accessible on user builds are
* /system/bin/ping
* /system/bin/run-as
and the capabilities above are sufficient to cover those
two programs.
If the kernel doesn't support file capabilities, we ignore
a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could
become a fatal error.
Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a
|
|
|
|
| |
Change-Id: I16d6eab5e674c860be915fde2da7877994bed314
|
|
|
|
|
| |
Bug: 5904033
Change-Id: Ie815f09a2bf51ad583ded82f652d162a7f70b87e
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch uses mmap() to read /data/system/packages.list
This avoids depending on the size of a fixed static buffer
which may happen to be too short for systems with a lot of
packages installed.
Also avoids calling malloc() which we don't want to trust here
since run-as is a setuid program.
Change-Id: I1d640a08b5d73af2fc80546b01c8d970c7f6b514
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch increases the size of the internal buffer used by run-as
to store the content of /data/system/packages.list from 8KB to 64KB.
It has been reported that, on some systems, 8KB was too small. This
resulted in a truncated file being loaded, and the inability to debug
native applications properly (either because the application was not
found in the list, or because the tool reported a 'corrupted
installation' due to BAD_FORMAT issues when parsing the truncated
file).
See http://code.google.com/p/android/issues/detail?id=16391
Change-Id: I0c35a61b163c4abc6f1a2681adc0ef0d76493171
|
|
Typical usage is 'run-as <package-name> <command>' to run <command>
in the data directory, and the user id, of <package-name> if, and only
if <package-name> is the name of an installed and debuggable application.
This relies on the /data/system/packages.list file generated by the
PackageManager service.
BEWARE: This is intended to be available on production devices !
|