1 /*
2  * Copyright (C) 2012-2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "LogPermissions.h"
18 
19 #include <errno.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <sys/socket.h>
24 
25 #include <vector>
26 
27 #include <private/android_filesystem_config.h>
28 
checkGroup(char * buf,gid_t gidToCheck)29 static bool checkGroup(char* buf, gid_t gidToCheck) {
30     char* ptr;
31     static const char ws[] = " \n";
32 
33     for (buf = strtok_r(buf, ws, &ptr); buf; buf = strtok_r(nullptr, ws, &ptr)) {
34         errno = 0;
35         gid_t Gid = strtol(buf, nullptr, 10);
36         if (errno != 0) {
37             return false;
38         }
39         if (Gid == gidToCheck) {
40             return true;
41         }
42     }
43     return false;
44 }
45 
UserIsPrivileged(int id)46 static bool UserIsPrivileged(int id) {
47     return id == AID_ROOT || id == AID_SYSTEM || id == AID_LOG;
48 }
49 
50 // gets a list of supplementary group IDs associated with
51 // the socket peer.  This is implemented by opening
52 // /proc/PID/status and look for the "Group:" line.
53 //
54 // This function introduces races especially since status
55 // can change 'shape' while reading, the net result is err
56 // on lack of permission.
checkSupplementaryGroup(uid_t uid,gid_t gid,pid_t pid,gid_t gidToCheck)57 static bool checkSupplementaryGroup(uid_t uid, gid_t gid, pid_t pid, gid_t gidToCheck) {
58     char filename[256];
59     snprintf(filename, sizeof(filename), "/proc/%u/status", pid);
60 
61     bool ret;
62     bool foundGroup = false;
63     bool foundGid = false;
64     bool foundUid = false;
65 
66     //
67     // Reading /proc/<pid>/status is rife with race conditions. All of /proc
68     // suffers from this and its use should be minimized.
69     //
70     // Notably the content from one 4KB page to the next 4KB page can be from a
71     // change in shape even if we are gracious enough to attempt to read
72     // atomically. getline can not even guarantee a page read is not split up
73     // and in effect can read from different vintages of the content.
74     //
75     // We are finding out in the field that a 'logcat -c' via adb occasionally
76     // is returned with permission denied when we did only one pass and thus
77     // breaking scripts. For security we still err on denying access if in
78     // doubt, but we expect the falses  should be reduced significantly as
79     // three times is a charm.
80     //
81     for (int retry = 3; !(ret = foundGid && foundUid && foundGroup) && retry; --retry) {
82         FILE* file = fopen(filename, "re");
83         if (!file) {
84             continue;
85         }
86 
87         char* line = nullptr;
88         size_t len = 0;
89         while (getline(&line, &len, file) > 0) {
90             static const char groups_string[] = "Groups:\t";
91             static const char uid_string[] = "Uid:\t";
92             static const char gid_string[] = "Gid:\t";
93 
94             if (strncmp(groups_string, line, sizeof(groups_string) - 1) == 0) {
95                 if (checkGroup(line + sizeof(groups_string) - 1, gidToCheck)) {
96                     foundGroup = true;
97                 }
98             } else if (strncmp(uid_string, line, sizeof(uid_string) - 1) == 0) {
99                 uid_t u[4] = { (uid_t)-1, (uid_t)-1, (uid_t)-1, (uid_t)-1 };
100 
101                 sscanf(line + sizeof(uid_string) - 1, "%u\t%u\t%u\t%u", &u[0],
102                        &u[1], &u[2], &u[3]);
103 
104                 // Protect against PID reuse by checking that UID is the same
105                 if ((uid == u[0]) && (uid == u[1]) && (uid == u[2]) &&
106                     (uid == u[3])) {
107                     foundUid = true;
108                 }
109             } else if (strncmp(gid_string, line, sizeof(gid_string) - 1) == 0) {
110                 gid_t g[4] = { (gid_t)-1, (gid_t)-1, (gid_t)-1, (gid_t)-1 };
111 
112                 sscanf(line + sizeof(gid_string) - 1, "%u\t%u\t%u\t%u", &g[0],
113                        &g[1], &g[2], &g[3]);
114 
115                 // Protect against PID reuse by checking that GID is the same
116                 if ((gid == g[0]) && (gid == g[1]) && (gid == g[2]) &&
117                     (gid == g[3])) {
118                     foundGid = true;
119                 }
120             }
121         }
122         free(line);
123         fclose(file);
124     }
125 
126     return ret;
127 }
128 
clientCanWriteSecurityLog(uid_t uid,gid_t gid,pid_t pid)129 bool clientCanWriteSecurityLog(uid_t uid, gid_t gid, pid_t pid) {
130     if (UserIsPrivileged(uid) || UserIsPrivileged(gid)) {
131         return true;
132     }
133     return checkSupplementaryGroup(uid, gid, pid, AID_SECURITY_LOG_WRITER) ||
134            checkSupplementaryGroup(uid, gid, pid, AID_LOG);
135 }
136 
clientHasLogCredentials(uid_t uid,gid_t gid,pid_t pid)137 bool clientHasLogCredentials(uid_t uid, gid_t gid, pid_t pid) {
138     if (UserIsPrivileged(uid) || UserIsPrivileged(gid)) {
139         return true;
140     }
141     // FYI We will typically be here for 'adb logcat'
142     return checkSupplementaryGroup(uid, gid, pid, AID_LOG);
143 }
144 
clientHasLogCredentials(SocketClient * cli)145 bool clientHasLogCredentials(SocketClient* cli) {
146     if (UserIsPrivileged(cli->getUid()) || UserIsPrivileged(cli->getGid())) {
147         return true;
148     }
149 
150     // Kernel version 4.13 added SO_PEERGROUPS to return the supplemental groups of a peer socket,
151     // so try that first then fallback to the above racy checking of /proc/<pid>/status if the
152     // kernel is too old.  Per
153     // https://source.android.com/devices/architecture/kernel/android-common, the fallback can be
154     // removed no earlier than 2024.
155     auto supplemental_groups = std::vector<gid_t>(16, -1);
156     socklen_t groups_size = supplemental_groups.size() * sizeof(gid_t);
157 
158     int result = getsockopt(cli->getSocket(), SOL_SOCKET, SO_PEERGROUPS, supplemental_groups.data(),
159                             &groups_size);
160 
161     if (result != 0) {
162         if (errno != ERANGE) {
163             return clientHasLogCredentials(cli->getUid(), cli->getGid(), cli->getPid());
164         }
165 
166         supplemental_groups.resize(groups_size / sizeof(gid_t), -1);
167         result = getsockopt(cli->getSocket(), SOL_SOCKET, SO_PEERGROUPS, supplemental_groups.data(),
168                             &groups_size);
169 
170         // There is still some error after resizing supplemental_groups, fallback.
171         if (result != 0) {
172             return clientHasLogCredentials(cli->getUid(), cli->getGid(), cli->getPid());
173         }
174     }
175 
176     supplemental_groups.resize(groups_size / sizeof(gid_t), -1);
177     for (const auto& gid : supplemental_groups) {
178         if (UserIsPrivileged(gid)) {
179             return true;
180         }
181     }
182 
183     return false;
184 }
185 
clientIsExemptedFromUserConsent(SocketClient * cli)186 bool clientIsExemptedFromUserConsent(SocketClient* cli) {
187     return cli->getUid() < AID_APP_START;
188 }
189