1 /*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define TRACE_TAG ADB
18
19 #include "sysdeps.h"
20
21 #include <errno.h>
22 #include <getopt.h>
23 #include <malloc.h>
24 #include <signal.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <sys/capability.h>
28 #include <sys/prctl.h>
29
30 #include <memory>
31 #include <vector>
32
33 #include <android-base/logging.h>
34 #include <android-base/macros.h>
35 #include <android-base/properties.h>
36 #include <android-base/stringprintf.h>
37 #include <android-base/strings.h>
38
39 #if defined(__ANDROID__)
40 #include <libminijail.h>
41 #include <log/log_properties.h>
42 #include <scoped_minijail.h>
43
44 #include <private/android_filesystem_config.h>
45 #include "selinux/android.h"
46 #endif
47
48 #include "adb.h"
49 #include "adb_auth.h"
50 #include "adb_listeners.h"
51 #include "adb_utils.h"
52 #include "adb_wifi.h"
53 #include "socket_spec.h"
54 #include "transport.h"
55
56 #include "daemon/jdwp_service.h"
57 #include "daemon/mdns.h"
58 #include "daemon/watchdog.h"
59
60 #if defined(__ANDROID__)
61 static const char* root_seclabel = nullptr;
62
should_drop_privileges()63 static bool should_drop_privileges() {
64 // The properties that affect `adb root` and `adb unroot` are ro.secure and
65 // ro.debuggable. In this context the names don't make the expected behavior
66 // particularly obvious.
67 //
68 // ro.debuggable:
69 // Allowed to become root, but not necessarily the default. Set to 1 on
70 // eng and userdebug builds.
71 //
72 // ro.secure:
73 // Drop privileges by default. Set to 1 on userdebug and user builds.
74 bool ro_secure = android::base::GetBoolProperty("ro.secure", true);
75 bool ro_debuggable = __android_log_is_debuggable();
76
77 // Drop privileges if ro.secure is set...
78 bool drop = ro_secure;
79
80 // ... except "adb root" lets you keep privileges in a debuggable build.
81 std::string prop = android::base::GetProperty("service.adb.root", "");
82 bool adb_root = (prop == "1");
83 bool adb_unroot = (prop == "0");
84 if (ro_debuggable && adb_root) {
85 drop = false;
86 }
87 // ... and "adb unroot" lets you explicitly drop privileges.
88 if (adb_unroot) {
89 drop = true;
90 }
91
92 return drop;
93 }
94
drop_privileges(int server_port)95 static void drop_privileges(int server_port) {
96 ScopedMinijail jail(minijail_new());
97
98 // Add extra groups:
99 // AID_ADB to access the USB driver
100 // AID_LOG to read system logs (adb logcat)
101 // AID_INPUT to diagnose input issues (getevent)
102 // AID_INET to diagnose network issues (ping)
103 // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)
104 // AID_SDCARD_R to allow reading from the SD card
105 // AID_SDCARD_RW to allow writing to the SD card
106 // AID_NET_BW_STATS to read out qtaguid statistics
107 // AID_READPROC for reading /proc entries across UID boundaries
108 // AID_UHID for using 'hid' command to read/write to /dev/uhid
109 // AID_EXT_DATA_RW for writing to /sdcard/Android/data (devices without sdcardfs)
110 // AID_EXT_OBB_RW for writing to /sdcard/Android/obb (devices without sdcardfs)
111 // AID_READTRACEFS for reading tracefs entries
112 gid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, AID_INET,
113 AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,
114 AID_NET_BW_STATS, AID_READPROC, AID_UHID, AID_EXT_DATA_RW,
115 AID_EXT_OBB_RW, AID_READTRACEFS};
116 minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups);
117
118 // Don't listen on a port (default 5037) if running in secure mode.
119 // Don't run as root if running in secure mode.
120 if (should_drop_privileges()) {
121 const bool should_drop_caps = !__android_log_is_debuggable();
122
123 if (should_drop_caps) {
124 // CAP_SETUI and CAP_SETGID are required for change_uid and change_gid calls below.
125 // CAP_SYS_NICE needs to be in the bounding set of adbd for sh spawned from `adb shell`
126 // to also have it in the bounding set. This in turn is required to be able to launch
127 // VMs from shell (e.g. adb shell /apex/com.android.virt/bin/vm run-microdroid).
128 // Full fork+execve chain looks like this:
129 // adbd (CapBnd: CAP_SYS_NICE) -> /system/bin/sh (CapBnd: CAP_SYS_NICE) ->
130 // /apex/com.android.virt/bin/vm (CapBnd: CAP_SYS_NICE) ->
131 // virtmngr (CapBnd: CAP_SYS_NICE) -> crosvm (CapEff: CAP_SYS_NICE).
132 // Note: the adbd will drop it's effective capabilities several lines below, while the
133 // /system/bin/sh process spawned from adbd will run as non-root uid, hence won't be
134 // able to use the CAP_SYS_NICE capability in the first place.
135 minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID) |
136 CAP_TO_MASK(CAP_SYS_NICE));
137 }
138
139 minijail_change_gid(jail.get(), AID_SHELL);
140 minijail_change_uid(jail.get(), AID_SHELL);
141 // minijail_enter() will abort if any priv-dropping step fails.
142 minijail_enter(jail.get());
143
144 // Whenever ambient capabilities are being used, minijail cannot
145 // simultaneously drop the bounding capability set to just
146 // CAP_SETUID|CAP_SETGID while clearing the inheritable, effective,
147 // and permitted sets. So we need to do that in two steps.
148 using ScopedCaps =
149 std::unique_ptr<std::remove_pointer<cap_t>::type, std::function<void(cap_t)>>;
150 ScopedCaps caps(cap_get_proc(), &cap_free);
151 if (cap_clear_flag(caps.get(), CAP_INHERITABLE) == -1) {
152 PLOG(FATAL) << "cap_clear_flag(INHERITABLE) failed";
153 }
154 if (cap_clear_flag(caps.get(), CAP_EFFECTIVE) == -1) {
155 PLOG(FATAL) << "cap_clear_flag(EFFECTIVE) failed";
156 }
157 if (cap_clear_flag(caps.get(), CAP_PERMITTED) == -1) {
158 PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed";
159 }
160 if (cap_set_proc(caps.get()) != 0) {
161 PLOG(FATAL) << "cap_set_proc() failed";
162 }
163
164 D("Local port disabled");
165 } else {
166 // minijail_enter() will abort if any priv-dropping step fails.
167 minijail_enter(jail.get());
168
169 if (root_seclabel != nullptr) {
170 if (selinux_android_setcon(root_seclabel) < 0) {
171 // If we failed to become root, don't try again to avoid a
172 // restart loop.
173 android::base::SetProperty("service.adb.root", "0");
174 LOG(FATAL) << "Could not set SELinux context";
175 }
176 }
177 }
178 }
179 #endif
180
setup_adb(const std::vector<std::string> & addrs)181 static void setup_adb(const std::vector<std::string>& addrs) {
182 #if defined(__ANDROID__)
183 // Get the first valid port from addrs and setup mDNS.
184 int port = -1;
185 std::string error;
186 for (const auto& addr : addrs) {
187 port = get_host_socket_spec_port(addr, &error);
188 if (port != -1) {
189 break;
190 }
191 }
192 if (port == -1) {
193 port = DEFAULT_ADB_LOCAL_TRANSPORT_PORT;
194 }
195 LOG(INFO) << "Setup mdns on port= " << port;
196 setup_mdns(port);
197 #endif
198 for (const auto& addr : addrs) {
199 LOG(INFO) << "adbd listening on " << addr;
200 local_init(addr);
201 }
202 }
203
adbd_main(int server_port)204 int adbd_main(int server_port) {
205 umask(0);
206
207 signal(SIGPIPE, SIG_IGN);
208
209 // We need to call this even if auth isn't enabled because the file
210 // descriptor will always be open.
211 adbd_cloexec_auth_socket();
212
213 #if defined(__ANDROID__)
214 bool device_unlocked = android::base::GetProperty("ro.boot.verifiedbootstate", "") == "orange";
215 if (device_unlocked || __android_log_is_debuggable()) {
216 #if defined(__ANDROID_RECOVERY__)
217 auth_required = false; // Bypass authorization when the device transitions to
218 // fastbootd (from recovery). A corrupt userdata image can potentially
219 // result in the device falling into rescue, and a subsequent fastboot
220 // state should not require authorization - otherwise, it will force the
221 // need for manual intervention(b/188703874).
222 #else
223 // If we're on userdebug/eng or the device is unlocked, permit no-authentication.
224 auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
225 #endif
226 }
227 #endif
228
229 // Our external storage path may be different than apps, since
230 // we aren't able to bind mount after dropping root.
231 const char* adb_external_storage = getenv("ADB_EXTERNAL_STORAGE");
232 if (adb_external_storage != nullptr) {
233 setenv("EXTERNAL_STORAGE", adb_external_storage, 1);
234 } else {
235 D("Warning: ADB_EXTERNAL_STORAGE is not set. Leaving EXTERNAL_STORAGE"
236 " unchanged.\n");
237 }
238
239 #if defined(__ANDROID__)
240 drop_privileges(server_port);
241 #endif
242
243 #if defined(__ANDROID__)
244 // A thread gets spawned as a side-effect of initializing the watchdog, so it needs to happen
245 // after we drop privileges.
246 watchdog::Initialize();
247 #endif
248
249 // adbd_auth_init will spawn a thread, so we need to defer it until after selinux transitions.
250 adbd_auth_init();
251
252 bool is_usb = false;
253
254 #if defined(__ANDROID__)
255 if (access(USB_FFS_ADB_EP0, F_OK) == 0) {
256 // Listen on USB.
257 usb_init();
258 is_usb = true;
259 }
260 #endif
261
262 // If one of these properties is set, also listen on that port.
263 // If one of the properties isn't set and we couldn't listen on usb, listen
264 // on the default port.
265 std::vector<std::string> addrs;
266 std::string prop_addr = android::base::GetProperty("service.adb.listen_addrs", "");
267 if (prop_addr.empty()) {
268 std::string prop_port = android::base::GetProperty("service.adb.tcp.port", "");
269 if (prop_port.empty()) {
270 prop_port = android::base::GetProperty("persist.adb.tcp.port", "");
271 }
272
273 #if !defined(__ANDROID__)
274 if (prop_port.empty() && getenv("ADBD_PORT")) {
275 prop_port = getenv("ADBD_PORT");
276 }
277 #endif
278
279 int port;
280 if (sscanf(prop_port.c_str(), "%d", &port) == 1 && port > 0) {
281 D("using tcp port=%d", port);
282 // Listen on TCP and VSOCK port specified by service.adb.tcp.port property.
283 addrs.push_back(android::base::StringPrintf("tcp:%d", port));
284 addrs.push_back(android::base::StringPrintf("vsock:%d", port));
285 setup_adb(addrs);
286 } else if (!is_usb) {
287 // Listen on default port.
288 addrs.push_back(
289 android::base::StringPrintf("tcp:%d", DEFAULT_ADB_LOCAL_TRANSPORT_PORT));
290 addrs.push_back(
291 android::base::StringPrintf("vsock:%d", DEFAULT_ADB_LOCAL_TRANSPORT_PORT));
292 setup_adb(addrs);
293 }
294 } else {
295 addrs = android::base::Split(prop_addr, ",");
296 setup_adb(addrs);
297 }
298
299 LOG(INFO) << "adbd started";
300
301 D("adbd_main(): pre init_jdwp()");
302 init_jdwp();
303 D("adbd_main(): post init_jdwp()");
304
305 D("Event loop starting");
306 fdevent_loop();
307
308 return 0;
309 }
310
main(int argc,char ** argv)311 int main(int argc, char** argv) {
312 #if defined(__BIONIC__)
313 // Set M_DECAY_TIME so that our allocations aren't immediately purged on free.
314 mallopt(M_DECAY_TIME, 1);
315 #endif
316
317 while (true) {
318 static struct option opts[] = {
319 {"root_seclabel", required_argument, nullptr, 's'},
320 {"device_banner", required_argument, nullptr, 'b'},
321 {"version", no_argument, nullptr, 'v'},
322 {"logpostfsdata", no_argument, nullptr, 'l'},
323 {nullptr, no_argument, nullptr, 0},
324 };
325
326 int option_index = 0;
327 int c = getopt_long(argc, argv, "", opts, &option_index);
328 if (c == -1) {
329 break;
330 }
331
332 switch (c) {
333 #if defined(__ANDROID__)
334 case 's':
335 root_seclabel = optarg;
336 break;
337 #endif
338 case 'b':
339 adb_device_banner = optarg;
340 break;
341 case 'v':
342 printf("Android Debug Bridge Daemon version %d.%d.%d\n", ADB_VERSION_MAJOR,
343 ADB_VERSION_MINOR, ADB_SERVER_VERSION);
344 return 0;
345 case 'l':
346 LOG(ERROR) << "post-fs-data triggered";
347 return 0;
348 default:
349 // getopt already prints "adbd: invalid option -- %c" for us.
350 return 1;
351 }
352 }
353
354 close_stdin();
355
356 adb_trace_init(argv);
357
358 D("Handling main()");
359 return adbd_main(DEFAULT_ADB_PORT);
360 }
361