1 /*
2  * Copyright (C) 2010 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.tests.getinfo;
18 
19 import java.io.File;
20 import java.io.FileNotFoundException;
21 import java.util.ArrayList;
22 import java.util.List;
23 import java.util.Scanner;
24 import java.util.regex.Pattern;
25 
26 /** Crawls /proc to find processes that are running as root. */
27 class RootProcessScanner {
28 
29     /** Processes that are allowed to run as root. */
30     private static final Pattern ROOT_PROCESS_ALLOWLIST_PATTERN = getRootProcessAllowlistPattern(
31             "debuggerd",
32             "debuggerd64",
33             "healthd",
34             "init",
35             "installd",
36             "lmkd",
37             "netd",
38             "servicemanager",
39             "ueventd",
40             "vold",
41             "watchdogd",
42             "zygote"
43     );
44 
45     /** Combine the individual patterns into one super pattern. */
getRootProcessAllowlistPattern(String... patterns)46     private static Pattern getRootProcessAllowlistPattern(String... patterns) {
47         StringBuilder rootProcessPattern = new StringBuilder();
48         for (int i = 0; i < patterns.length; i++) {
49             rootProcessPattern.append(patterns[i]);
50             if (i + 1 < patterns.length) {
51                 rootProcessPattern.append('|');
52             }
53         }
54         return Pattern.compile(rootProcessPattern.toString());
55     }
56 
57     /** Test that there are no unapproved root processes running on the system. */
getRootProcesses()58     public static String[] getRootProcesses()
59             throws FileNotFoundException, MalformedStatMException {
60         List<File> rootProcessDirs = getRootProcessDirs();
61         String[] rootProcessNames = new String[rootProcessDirs.size()];
62         for (int i = 0; i < rootProcessNames.length; i++) {
63             rootProcessNames[i] = getProcessName(rootProcessDirs.get(i));
64         }
65         return rootProcessNames;
66     }
67 
getRootProcessDirs()68     private static List<File> getRootProcessDirs()
69             throws FileNotFoundException, MalformedStatMException {
70         File proc = new File("/proc");
71         if (!proc.exists()) {
72             throw new FileNotFoundException(proc + " is missing (man 5 proc)");
73         }
74 
75         List<File> rootProcesses = new ArrayList<File>();
76         File[] processDirs = proc.listFiles();
77         if (processDirs != null && processDirs.length > 0) {
78             for (File processDir : processDirs) {
79                 if (isUnapprovedRootProcess(processDir)) {
80                     rootProcesses.add(processDir);
81                 }
82             }
83         }
84         return rootProcesses;
85     }
86 
87     /**
88      * Filters out processes in /proc that are not approved.
89      * @throws FileNotFoundException
90      * @throws MalformedStatMException
91      */
isUnapprovedRootProcess(File pathname)92     private static boolean isUnapprovedRootProcess(File pathname)
93             throws FileNotFoundException, MalformedStatMException {
94         return isPidDirectory(pathname)
95                 && !isKernelProcess(pathname)
96                 && isRootProcess(pathname);
97     }
98 
isPidDirectory(File pathname)99     private static boolean isPidDirectory(File pathname) {
100         return pathname.isDirectory() && Pattern.matches("\\d+", pathname.getName());
101     }
102 
isKernelProcess(File processDir)103     private static boolean isKernelProcess(File processDir)
104             throws FileNotFoundException, MalformedStatMException {
105         File statm = getProcessStatM(processDir);
106         Scanner scanner = null;
107         try {
108             scanner = new Scanner(statm);
109 
110             boolean allZero = true;
111             for (int i = 0; i < 7; i++) {
112                 if (scanner.nextInt() != 0) {
113                     allZero = false;
114                 }
115             }
116 
117             if (scanner.hasNext()) {
118                 throw new MalformedStatMException(processDir
119                         + " statm expected to have 7 integers (man 5 proc)");
120             }
121 
122             return allZero;
123         } finally {
124             if (scanner != null) {
125                 scanner.close();
126             }
127         }
128     }
129 
getProcessStatM(File processDir)130     private static File getProcessStatM(File processDir) {
131         return new File(processDir, "statm");
132     }
133 
134     public static class MalformedStatMException extends Exception {
MalformedStatMException(String detailMessage)135         MalformedStatMException(String detailMessage) {
136             super(detailMessage);
137         }
138     }
139 
140     /**
141      * Return whether or not this process is running as root without being approved.
142      *
143      * @param processDir with the status file
144      * @return whether or not it is a unallowlisted root process
145      * @throws FileNotFoundException
146      */
isRootProcess(File processDir)147     private static boolean isRootProcess(File processDir) throws FileNotFoundException {
148         File status = getProcessStatus(processDir);
149         Scanner scanner = null;
150         try {
151             scanner = new Scanner(status);
152 
153             findToken(scanner, "Name:");
154             String name = scanner.next();
155 
156             findToken(scanner, "Uid:");
157             boolean rootUid = hasRootId(scanner);
158 
159             findToken(scanner, "Gid:");
160             boolean rootGid = hasRootId(scanner);
161 
162             return !ROOT_PROCESS_ALLOWLIST_PATTERN.matcher(name).matches()
163                     && (rootUid || rootGid);
164         } finally {
165             if (scanner != null) {
166                 scanner.close();
167             }
168         }
169     }
170 
171     /**
172      * Get the status {@link File} that has name:value pairs.
173      * <pre>
174      * Name:   init
175      * ...
176      * Uid:    0       0       0       0
177      * Gid:    0       0       0       0
178      * </pre>
179      */
getProcessStatus(File processDir)180     private static File getProcessStatus(File processDir) {
181         return new File(processDir, "status");
182     }
183 
184     /**
185      * Convenience method to move the scanner's position to the point after the given token.
186      *
187      * @param scanner to call next() until the token is found
188      * @param token to find like "Name:"
189      */
findToken(Scanner scanner, String token)190     private static void findToken(Scanner scanner, String token) {
191         while (true) {
192             String next = scanner.next();
193             if (next.equals(token)) {
194                 return;
195             }
196         }
197 
198         // Scanner will exhaust input and throw an exception before getting here.
199     }
200 
201     /**
202      * Uid and Gid lines have four values: "Uid:    0       0       0       0"
203      *
204      * @param scanner that has just processed the "Uid:" or "Gid:" token
205      * @return whether or not any of the ids are root
206      */
hasRootId(Scanner scanner)207     private static boolean hasRootId(Scanner scanner) {
208         int realUid = scanner.nextInt();
209         int effectiveUid = scanner.nextInt();
210         int savedSetUid = scanner.nextInt();
211         int fileSystemUid = scanner.nextInt();
212         return realUid == 0 || effectiveUid == 0 || savedSetUid == 0 || fileSystemUid == 0;
213     }
214 
215     /** Returns the name of the process corresponding to its process directory in /proc. */
getProcessName(File processDir)216     private static String getProcessName(File processDir) throws FileNotFoundException {
217         File status = getProcessStatus(processDir);
218         Scanner scanner = new Scanner(status);
219         try {
220             findToken(scanner, "Name:");
221             return scanner.next();
222         } finally {
223             scanner.close();
224         }
225     }
226 }
227