1 /*
2 * Copyright (C) 2012-2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "LogPermissions.h"
18
19 #include <errno.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <sys/socket.h>
24
25 #include <vector>
26
27 #include <private/android_filesystem_config.h>
28
groupIsLog(char * buf)29 static bool groupIsLog(char* buf) {
30 char* ptr;
31 static const char ws[] = " \n";
32
33 for (buf = strtok_r(buf, ws, &ptr); buf; buf = strtok_r(nullptr, ws, &ptr)) {
34 errno = 0;
35 gid_t Gid = strtol(buf, nullptr, 10);
36 if (errno != 0) {
37 return false;
38 }
39 if (Gid == AID_LOG) {
40 return true;
41 }
42 }
43 return false;
44 }
45
UserIsPrivileged(int id)46 static bool UserIsPrivileged(int id) {
47 return id == AID_ROOT || id == AID_SYSTEM || id == AID_LOG;
48 }
49
50 // gets a list of supplementary group IDs associated with
51 // the socket peer. This is implemented by opening
52 // /proc/PID/status and look for the "Group:" line.
53 //
54 // This function introduces races especially since status
55 // can change 'shape' while reading, the net result is err
56 // on lack of permission.
clientHasLogCredentials(uid_t uid,gid_t gid,pid_t pid)57 bool clientHasLogCredentials(uid_t uid, gid_t gid, pid_t pid) {
58 if (UserIsPrivileged(uid) || UserIsPrivileged(gid)) {
59 return true;
60 }
61
62 // FYI We will typically be here for 'adb logcat'
63 char filename[256];
64 snprintf(filename, sizeof(filename), "/proc/%u/status", pid);
65
66 bool ret;
67 bool foundLog = false;
68 bool foundGid = false;
69 bool foundUid = false;
70
71 //
72 // Reading /proc/<pid>/status is rife with race conditions. All of /proc
73 // suffers from this and its use should be minimized.
74 //
75 // Notably the content from one 4KB page to the next 4KB page can be from a
76 // change in shape even if we are gracious enough to attempt to read
77 // atomically. getline can not even guarantee a page read is not split up
78 // and in effect can read from different vintages of the content.
79 //
80 // We are finding out in the field that a 'logcat -c' via adb occasionally
81 // is returned with permission denied when we did only one pass and thus
82 // breaking scripts. For security we still err on denying access if in
83 // doubt, but we expect the falses should be reduced significantly as
84 // three times is a charm.
85 //
86 for (int retry = 3; !(ret = foundGid && foundUid && foundLog) && retry;
87 --retry) {
88 FILE* file = fopen(filename, "re");
89 if (!file) {
90 continue;
91 }
92
93 char* line = nullptr;
94 size_t len = 0;
95 while (getline(&line, &len, file) > 0) {
96 static const char groups_string[] = "Groups:\t";
97 static const char uid_string[] = "Uid:\t";
98 static const char gid_string[] = "Gid:\t";
99
100 if (strncmp(groups_string, line, sizeof(groups_string) - 1) == 0) {
101 if (groupIsLog(line + sizeof(groups_string) - 1)) {
102 foundLog = true;
103 }
104 } else if (strncmp(uid_string, line, sizeof(uid_string) - 1) == 0) {
105 uid_t u[4] = { (uid_t)-1, (uid_t)-1, (uid_t)-1, (uid_t)-1 };
106
107 sscanf(line + sizeof(uid_string) - 1, "%u\t%u\t%u\t%u", &u[0],
108 &u[1], &u[2], &u[3]);
109
110 // Protect against PID reuse by checking that UID is the same
111 if ((uid == u[0]) && (uid == u[1]) && (uid == u[2]) &&
112 (uid == u[3])) {
113 foundUid = true;
114 }
115 } else if (strncmp(gid_string, line, sizeof(gid_string) - 1) == 0) {
116 gid_t g[4] = { (gid_t)-1, (gid_t)-1, (gid_t)-1, (gid_t)-1 };
117
118 sscanf(line + sizeof(gid_string) - 1, "%u\t%u\t%u\t%u", &g[0],
119 &g[1], &g[2], &g[3]);
120
121 // Protect against PID reuse by checking that GID is the same
122 if ((gid == g[0]) && (gid == g[1]) && (gid == g[2]) &&
123 (gid == g[3])) {
124 foundGid = true;
125 }
126 }
127 }
128 free(line);
129 fclose(file);
130 }
131
132 return ret;
133 }
134
clientHasLogCredentials(SocketClient * cli)135 bool clientHasLogCredentials(SocketClient* cli) {
136 if (UserIsPrivileged(cli->getUid()) || UserIsPrivileged(cli->getGid())) {
137 return true;
138 }
139
140 // Kernel version 4.13 added SO_PEERGROUPS to return the supplemental groups of a peer socket,
141 // so try that first then fallback to the above racy checking of /proc/<pid>/status if the
142 // kernel is too old. Per
143 // https://source.android.com/devices/architecture/kernel/android-common, the fallback can be
144 // removed no earlier than 2024.
145 auto supplemental_groups = std::vector<gid_t>(16, -1);
146 socklen_t groups_size = supplemental_groups.size() * sizeof(gid_t);
147
148 int result = getsockopt(cli->getSocket(), SOL_SOCKET, SO_PEERGROUPS, supplemental_groups.data(),
149 &groups_size);
150
151 if (result != 0) {
152 if (errno != ERANGE) {
153 return clientHasLogCredentials(cli->getUid(), cli->getGid(), cli->getPid());
154 }
155
156 supplemental_groups.resize(groups_size / sizeof(gid_t), -1);
157 result = getsockopt(cli->getSocket(), SOL_SOCKET, SO_PEERGROUPS, supplemental_groups.data(),
158 &groups_size);
159
160 // There is still some error after resizing supplemental_groups, fallback.
161 if (result != 0) {
162 return clientHasLogCredentials(cli->getUid(), cli->getGid(), cli->getPid());
163 }
164 }
165
166 supplemental_groups.resize(groups_size / sizeof(gid_t), -1);
167 for (const auto& gid : supplemental_groups) {
168 if (UserIsPrivileged(gid)) {
169 return true;
170 }
171 }
172
173 return false;
174 }
175