summaryrefslogtreecommitdiffstats
path: root/run-as
Commit message (Collapse)AuthorAgeFilesLines
* Extend run-as with optional --user argument.Oleksiy Vyalov2015-06-103-13/+48
| | | | | | | | 1. Calculate AID for spawned process as (100000 * $user) + uid_from_packages.list 2. Use /data/user/$user/$packageDir as a root of a new process if $user != 0. Change-Id: I761dfb481114bd51e5a950307fcaf403e96eef10 (cherry picked from commit da31778f3b422d9583f334273eb8d9f6aabd5d34)
* package missing include for string.hMark Salyzyn2015-04-011-2/+4
| | | | | | | | | | | | package.c gets string.h inherited from private/android_filesystem_config.h it should not rely on this in the future. The intent is to move fs_config function into libcutils and thus deprecate any need for string.h in this include file. Bug: 19908228 Change-Id: I5db6d0a88c5b1eb9f582284e9bdd220c096ea69a
* run-as: bracket capabilityMark Salyzyn2015-03-311-45/+48
| | | | | | | | | | - do not assume that caller has granted effective bits in capabilities - only elevate capabilities when needed - suppress capabilities before exec when called as shell,shell,shell - some Android coding standard cleanup Bug: 19908228 Change-Id: Ibe3d1c1a0fdcb54c41d7a72395e50ad749df98ce
* run-as: build 1161573 failureMark Salyzyn2014-05-081-1/+3
| | | | | - pointer to integer comparison. Change-Id: I4a12c357ff5eaf2fc08c19c9efe7e2d7cb0dbe2e
* run-as: turn on -WerrorMark Salyzyn2014-05-072-6/+4
| | | | | | - remove an abandoned code fragment Change-Id: I32d4ad820772685c680d200dc00ef11d102c76bd
* am aed27f80: am b0739c66: Fix run-as which was broken in Android 4.3Alex Klyubin2013-08-281-19/+24
|\ | | | | | | | | * commit 'aed27f8018e4365aa52a5dd8e89c4db2df0273c5': Fix run-as which was broken in Android 4.3
| * Fix run-as which was broken in Android 4.3Alex Klyubin2013-08-211-19/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In Android 4.3 the run-as binary no longer has the SUID/SGID bits set. Instead, it requires to be installed with setuid and setgid file-based capabilities. As a result of the above two changes, the binary no longer executes as root when invoked by the "shell" user but can still change its UID/GID to that of the target package. Unfortunately, run-as attempts to chdir into the target package's data directory before changing its effective UID/GID. As a result, when run-as is invoked by the "shell" user, the chdir operation fails. The fix is for run-as to chdir after changing the effective UID/GID to those of the target package. Bug: 10154652 (cherry picked from commit f2904a7b63c2005ab588a9ba2fb309e73200ec81) Change-Id: I0f6cb9efd49f5c2c491f7aa1d614d700a5ec2304
* | Enable run-as to read packages.list now owned by package_info.Alex Klyubin2013-08-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The group ownership of the package database /data/system/packages.list read by run-as was changed in 977a9f3b1a05e6168e8245a1e2061225b68b2b41 from "system" to "package_info". run-as currently changes its effective group to "system" and is thus unable to read the database. This CL fixes the issue by making run-as change its effective group to "package_info" for reading the package database. Bug: 10411916 Change-Id: Id23059bfb5b43264824917873a31c287f057ce4e
* | Add legacy layout support to FUSE, enforce write.Jeff Sharkey2013-08-141-1/+1
|/ | | | | | | | | | | | | | | | | | | | The legacy internal layout places users at the top-level of the filesystem, so handle with new PERM_LEGACY_PRE_ROOT when requested. Mirror single OBB directory between all users without requiring fancy bind mounts by letting a nodes graft in another part of the underlying tree. Move to everything having "sdcard_r" GID by default, and verify that calling apps hold "sdcard_rw" when performing mutations. Determines app group membership from new packages.list column. Flag to optionally enable sdcard_pics/sdcard_av permissions splitting. Flag to supply a default GID for all files. Ignore attempts to access security sensitive files. Fix run-as to check for new "package_info" GID. Change-Id: Id5f3680779109141c65fb8fa1daf56597f49ea0d
* am f19e045c: am c8df252f: Merge "run-as: Get seinfo from packages.list and ↵Geremy Condra2013-03-283-5/+23
|\ | | | | | | | | | | | | pass to libselinux." * commit 'f19e045c58dafbdc46e848ec5a5c935f472dea34': run-as: Get seinfo from packages.list and pass to libselinux.
| * run-as: Get seinfo from packages.list and pass to libselinux.Robert Craig2013-03-283-5/+23
| | | | | | | | | | | | | | | | | | Change allows the proper seinfo value to be passed to libselinux to switch to the proper app security context before running the shell. Change-Id: I9d7ea47c920b1bc09a19008345ed7fd0aa426e87 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
* | am af4ececc: am 515bed0e: Merge "run-as: set the SELinux security context."Colin Cross2013-03-052-0/+8
|\ \ | |/ | | | | | | * commit 'af4ececc7bd10aec1240acfbfe7756ab8ee16883': run-as: set the SELinux security context.
| * run-as: set the SELinux security context.Stephen Smalley2012-11-132-0/+8
| | | | | | | | | | | | | | | | Before invoking the specified command or a shell, set the SELinux security context. Change-Id: Ifc7f91aed9d298290b95d771484b322ed7a4c594 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* | adb: drop capability bounding set on user buildsNick Kralevich2013-02-151-1/+18
|/ | | | | | | | | | | | | | | | | | | | | | | | run-as: don't require CAP_DAC_OVERRIDE. Prevent an adb spawned application from acquiring capabilities other than * CAP_NET_RAW * CAP_SETUID * CAP_SETGID The only privileged programs accessible on user builds are * /system/bin/ping * /system/bin/run-as and the capabilities above are sufficient to cover those two programs. If the kernel doesn't support file capabilities, we ignore a prctl(PR_CAPBSET_DROP) failure. In a future CL, this could become a fatal error. Change-Id: I45a56712bfda35b5ad9378dde9e04ab062fe691a
* do more checks on packages.listNick Kralevich2012-02-091-0/+10
| | | | Change-Id: I16d6eab5e674c860be915fde2da7877994bed314
* Don't statically compile run-asNick Kralevich2012-01-232-7/+3
| | | | | Bug: 5904033 Change-Id: Ie815f09a2bf51ad583ded82f652d162a7f70b87e
* run-as: use mmap to read package list fileDavid 'Digit' Turner2011-12-061-32/+59
| | | | | | | | | | | | | This patch uses mmap() to read /data/system/packages.list This avoids depending on the size of a fixed static buffer which may happen to be too short for systems with a lot of packages installed. Also avoids calling malloc() which we don't want to trust here since run-as is a setuid program. Change-Id: I1d640a08b5d73af2fc80546b01c8d970c7f6b514
* run-as: Bump the size of the internal packages list buffer.David 'Digit' Turner2011-06-061-1/+1
| | | | | | | | | | | | | | | | This patch increases the size of the internal buffer used by run-as to store the content of /data/system/packages.list from 8KB to 64KB. It has been reported that, on some systems, 8KB was too small. This resulted in a truncated file being loaded, and the inability to debug native applications properly (either because the application was not found in the list, or because the tool reported a 'corrupted installation' due to BAD_FORMAT issues when parsing the truncated file). See http://code.google.com/p/android/issues/detail?id=16391 Change-Id: I0c35a61b163c4abc6f1a2681adc0ef0d76493171
* Add 'run-as' command implementation as set-uid program.David 'Digit' Turner2010-03-175-0/+892
Typical usage is 'run-as <package-name> <command>' to run <command> in the data directory, and the user id, of <package-name> if, and only if <package-name> is the name of an installed and debuggable application. This relies on the /data/system/packages.list file generated by the PackageManager service. BEWARE: This is intended to be available on production devices !