1*d9ecfb0fSAndroid Build Coastguard Worker /*
2*d9ecfb0fSAndroid Build Coastguard Worker * Copyright (C) 2023 The Android Open Source Project
3*d9ecfb0fSAndroid Build Coastguard Worker *
4*d9ecfb0fSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*d9ecfb0fSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*d9ecfb0fSAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*d9ecfb0fSAndroid Build Coastguard Worker *
8*d9ecfb0fSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*d9ecfb0fSAndroid Build Coastguard Worker *
10*d9ecfb0fSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*d9ecfb0fSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*d9ecfb0fSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*d9ecfb0fSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*d9ecfb0fSAndroid Build Coastguard Worker * limitations under the License.
15*d9ecfb0fSAndroid Build Coastguard Worker */
16*d9ecfb0fSAndroid Build Coastguard Worker
17*d9ecfb0fSAndroid Build Coastguard Worker #include <fcntl.h>
18*d9ecfb0fSAndroid Build Coastguard Worker #include <grp.h>
19*d9ecfb0fSAndroid Build Coastguard Worker #include <selinux/selinux.h>
20*d9ecfb0fSAndroid Build Coastguard Worker #include <signal.h>
21*d9ecfb0fSAndroid Build Coastguard Worker #include <stdio.h>
22*d9ecfb0fSAndroid Build Coastguard Worker #include <string.h>
23*d9ecfb0fSAndroid Build Coastguard Worker #include <sys/prctl.h>
24*d9ecfb0fSAndroid Build Coastguard Worker #include <unistd.h>
25*d9ecfb0fSAndroid Build Coastguard Worker
26*d9ecfb0fSAndroid Build Coastguard Worker #include "android_filesystem_config.h"
27*d9ecfb0fSAndroid Build Coastguard Worker #include "seccomp_policy.h"
28*d9ecfb0fSAndroid Build Coastguard Worker
set_groups(const gid_t gid)29*d9ecfb0fSAndroid Build Coastguard Worker static bool set_groups(const gid_t gid) {
30*d9ecfb0fSAndroid Build Coastguard Worker const gid_t groups[] = {gid, AID_EVERYBODY, AID_MISC};
31*d9ecfb0fSAndroid Build Coastguard Worker const size_t num_groups = sizeof(groups) / sizeof(gid_t);
32*d9ecfb0fSAndroid Build Coastguard Worker
33*d9ecfb0fSAndroid Build Coastguard Worker if (setgroups(num_groups, groups) != 0) {
34*d9ecfb0fSAndroid Build Coastguard Worker fprintf(stderr, "setgroups failed\n");
35*d9ecfb0fSAndroid Build Coastguard Worker return false;
36*d9ecfb0fSAndroid Build Coastguard Worker }
37*d9ecfb0fSAndroid Build Coastguard Worker
38*d9ecfb0fSAndroid Build Coastguard Worker if (setresgid(gid, gid, gid) != 0) {
39*d9ecfb0fSAndroid Build Coastguard Worker fprintf(stderr, "setresgid failed\n");
40*d9ecfb0fSAndroid Build Coastguard Worker return false;
41*d9ecfb0fSAndroid Build Coastguard Worker }
42*d9ecfb0fSAndroid Build Coastguard Worker
43*d9ecfb0fSAndroid Build Coastguard Worker return true;
44*d9ecfb0fSAndroid Build Coastguard Worker }
45*d9ecfb0fSAndroid Build Coastguard Worker
set_user(const uid_t uid)46*d9ecfb0fSAndroid Build Coastguard Worker static bool set_user(const uid_t uid) {
47*d9ecfb0fSAndroid Build Coastguard Worker if (setresuid(uid, uid, uid) != 0) {
48*d9ecfb0fSAndroid Build Coastguard Worker fprintf(stderr, "setresuid failed\n");
49*d9ecfb0fSAndroid Build Coastguard Worker return false;
50*d9ecfb0fSAndroid Build Coastguard Worker }
51*d9ecfb0fSAndroid Build Coastguard Worker
52*d9ecfb0fSAndroid Build Coastguard Worker if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0)) {
53*d9ecfb0fSAndroid Build Coastguard Worker fprintf(stderr, "prctl failed\n");
54*d9ecfb0fSAndroid Build Coastguard Worker return false;
55*d9ecfb0fSAndroid Build Coastguard Worker }
56*d9ecfb0fSAndroid Build Coastguard Worker
57*d9ecfb0fSAndroid Build Coastguard Worker return true;
58*d9ecfb0fSAndroid Build Coastguard Worker }
59*d9ecfb0fSAndroid Build Coastguard Worker
enter_app_sandbox()60*d9ecfb0fSAndroid Build Coastguard Worker static bool enter_app_sandbox() {
61*d9ecfb0fSAndroid Build Coastguard Worker if (!set_groups(AID_APP_START)) {
62*d9ecfb0fSAndroid Build Coastguard Worker return false;
63*d9ecfb0fSAndroid Build Coastguard Worker }
64*d9ecfb0fSAndroid Build Coastguard Worker
65*d9ecfb0fSAndroid Build Coastguard Worker if (!set_app_seccomp_filter()) {
66*d9ecfb0fSAndroid Build Coastguard Worker return false;
67*d9ecfb0fSAndroid Build Coastguard Worker }
68*d9ecfb0fSAndroid Build Coastguard Worker
69*d9ecfb0fSAndroid Build Coastguard Worker if (!set_user(AID_APP_START)) {
70*d9ecfb0fSAndroid Build Coastguard Worker return false;
71*d9ecfb0fSAndroid Build Coastguard Worker };
72*d9ecfb0fSAndroid Build Coastguard Worker
73*d9ecfb0fSAndroid Build Coastguard Worker // TODO: figure out the correct value or make this configurable.
74*d9ecfb0fSAndroid Build Coastguard Worker setcon("u:r:untrusted_app:s0:c512,c768");
75*d9ecfb0fSAndroid Build Coastguard Worker
76*d9ecfb0fSAndroid Build Coastguard Worker return true;
77*d9ecfb0fSAndroid Build Coastguard Worker }
78*d9ecfb0fSAndroid Build Coastguard Worker
enter_system_sandbox()79*d9ecfb0fSAndroid Build Coastguard Worker static bool enter_system_sandbox() {
80*d9ecfb0fSAndroid Build Coastguard Worker if (!set_groups(AID_SYSTEM)) {
81*d9ecfb0fSAndroid Build Coastguard Worker return false;
82*d9ecfb0fSAndroid Build Coastguard Worker }
83*d9ecfb0fSAndroid Build Coastguard Worker
84*d9ecfb0fSAndroid Build Coastguard Worker if (!set_system_seccomp_filter()) {
85*d9ecfb0fSAndroid Build Coastguard Worker return false;
86*d9ecfb0fSAndroid Build Coastguard Worker }
87*d9ecfb0fSAndroid Build Coastguard Worker
88*d9ecfb0fSAndroid Build Coastguard Worker if (!set_user(AID_SYSTEM)) {
89*d9ecfb0fSAndroid Build Coastguard Worker return false;
90*d9ecfb0fSAndroid Build Coastguard Worker };
91*d9ecfb0fSAndroid Build Coastguard Worker
92*d9ecfb0fSAndroid Build Coastguard Worker return true;
93*d9ecfb0fSAndroid Build Coastguard Worker }
94*d9ecfb0fSAndroid Build Coastguard Worker
print_usage(char ** argv)95*d9ecfb0fSAndroid Build Coastguard Worker void print_usage(char** argv) {
96*d9ecfb0fSAndroid Build Coastguard Worker fprintf(stderr, "usage: %s <app|system> <file>\n", argv[0]);
97*d9ecfb0fSAndroid Build Coastguard Worker }
98*d9ecfb0fSAndroid Build Coastguard Worker
main(int argc,char ** argv)99*d9ecfb0fSAndroid Build Coastguard Worker int main(int argc, char** argv) {
100*d9ecfb0fSAndroid Build Coastguard Worker if (argc != 3) {
101*d9ecfb0fSAndroid Build Coastguard Worker print_usage(argv);
102*d9ecfb0fSAndroid Build Coastguard Worker return 1;
103*d9ecfb0fSAndroid Build Coastguard Worker }
104*d9ecfb0fSAndroid Build Coastguard Worker
105*d9ecfb0fSAndroid Build Coastguard Worker if (!strcmp(argv[1], "app")) {
106*d9ecfb0fSAndroid Build Coastguard Worker if (!enter_app_sandbox()) {
107*d9ecfb0fSAndroid Build Coastguard Worker return 1;
108*d9ecfb0fSAndroid Build Coastguard Worker }
109*d9ecfb0fSAndroid Build Coastguard Worker } else if (!strcmp(argv[1], "system")) {
110*d9ecfb0fSAndroid Build Coastguard Worker if (!enter_system_sandbox()) {
111*d9ecfb0fSAndroid Build Coastguard Worker return 1;
112*d9ecfb0fSAndroid Build Coastguard Worker }
113*d9ecfb0fSAndroid Build Coastguard Worker } else {
114*d9ecfb0fSAndroid Build Coastguard Worker print_usage(argv);
115*d9ecfb0fSAndroid Build Coastguard Worker return 1;
116*d9ecfb0fSAndroid Build Coastguard Worker }
117*d9ecfb0fSAndroid Build Coastguard Worker
118*d9ecfb0fSAndroid Build Coastguard Worker if (open(argv[2], O_RDONLY) == -1) {
119*d9ecfb0fSAndroid Build Coastguard Worker fprintf(stderr, "failed to open %s\n", argv[2]);
120*d9ecfb0fSAndroid Build Coastguard Worker return 1;
121*d9ecfb0fSAndroid Build Coastguard Worker }
122*d9ecfb0fSAndroid Build Coastguard Worker
123*d9ecfb0fSAndroid Build Coastguard Worker return 0;
124*d9ecfb0fSAndroid Build Coastguard Worker }
125