Use fork/exec instead of system(3)

git-core · git-core · commit f09ab436caad · 2012-07-23T16:08:41.000+04:00
By doing so we may
- move change of identity to the child, so no need to change it back
- drop saved set-user/group-ID safely
  An attacker will gain no more than a process with its ids. As a side effect,
  the code that unsets environment variables becomes useless.
- implement asynchronous wait for child later
diff --git a/activity.c b/activity.c
@@ -15,72 +15,61 @@
 ** limitations under the License.
 */
 
+#include <sys/types.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <fcntl.h>
+#include <paths.h>
+#include <sys/wait.h>
 
 #include "su.h"
 
 int send_intent(const struct su_context *ctx,
                 const char *socket_path, int allow, const char *action)
 {
-    char command[PATH_MAX];
-    pid_t euid;
-    gid_t egid;
     int rc;
 
-	sprintf(command, "/system/bin/am broadcast -a '%s' --es socket '%s' --ei caller_uid '%d' --ei allow '%d' --ei version_code '%d' > /dev/null",
-			action, socket_path, ctx->from.uid, allow, VERSION_CODE);	
+    pid_t pid = fork();
+    /* Child */
+    if (!pid) {
+        char command[ARG_MAX];
 
-    // before sending the intent, make sure the (uid and euid) and (gid and egid) match,
-    // otherwise LD_LIBRARY_PATH is wiped in Android 4.0+.
-    // Also, sanitize all secure environment variables (from linker_environ.c in linker).
+        snprintf(command, sizeof(command),
+            "exec /system/bin/am broadcast -a %s --es socket '%s' "
+            "--ei caller_uid %d --ei allow %d "
+            "--ei version_code %d",
+            action, socket_path, ctx->from.uid, allow, VERSION_CODE);
+        char *args[] = { "sh", "-c", command, NULL, };
 
-    /* The same list than GLibc at this point */
-    static const char* const unsec_vars[] = {
-        "GCONV_PATH",
-        "GETCONF_DIR",
-        "HOSTALIASES",
-        "LD_AUDIT",
-        "LD_DEBUG",
-        "LD_DEBUG_OUTPUT",
-        "LD_DYNAMIC_WEAK",
-        "LD_LIBRARY_PATH",
-        "LD_ORIGIN_PATH",
-        "LD_PRELOAD",
-        "LD_PROFILE",
-        "LD_SHOW_AUXV",
-        "LD_USE_LOAD_BIAS",
-        "LOCALDOMAIN",
-        "LOCPATH",
-        "MALLOC_TRACE",
-        "MALLOC_CHECK_",
-        "NIS_PATH",
-        "NLSPATH",
-        "RESOLV_HOST_CONF",
-        "RES_OPTIONS",
-        "TMPDIR",
-        "TZDIR",
-        "LD_AOUT_LIBRARY_PATH",
-        "LD_AOUT_PRELOAD",
-        // not listed in linker, used due to system() call
-        "IFS",
-    };
-    const char* const* cp   = unsec_vars;
-    const char* const* endp = cp + sizeof(unsec_vars)/sizeof(unsec_vars[0]);
-    while (cp < endp) {
-        unsetenv(*cp);
-        cp++;
+        /*
+         * before sending the intent, make sure the effective uid/gid match
+         * the real uid/gid, otherwise LD_LIBRARY_PATH is wiped
+         * in Android 4.0+.
+         */
+        set_identity(ctx->from.uid);
+        int zero = open("/dev/zero", O_RDONLY | O_CLOEXEC);
+        dup2(zero, 0);
+        int null = open("/dev/null", O_WRONLY | O_CLOEXEC);
+        dup2(null, 1);
+        dup2(null, 2);
+        LOGD("Executing %s\n", command);
+        execv(_PATH_BSHELL, args);
+        PLOGE("exec am");
+        _exit(EXIT_FAILURE);
     }
-
-    // sane value so "am" works
-    setenv("LD_LIBRARY_PATH", "/vendor/lib:/system/lib", 1);
-    euid = geteuid();
-    egid = getegid();
-    setegid(getgid());
-    seteuid(getuid());
-    rc = system(command);
-    seteuid(0);
-    setegid(egid);
-    seteuid(euid);
-	return rc;
+    /* Parent */
+    if (pid < 0) {
+        PLOGE("fork");
+        return -1;
+    }
+    pid = waitpid(pid, &rc, 0);
+    if (pid < 0) {
+        PLOGE("waitpid");
+        return -1;
+    }
+    if (!WIFEXITED(rc) || WEXITSTATUS(rc)) {
+        LOGE("am returned error %d\n", rc);
+        return -1;
+    }
+    return 0;
 }
diff --git a/su.c b/su.c
@@ -123,6 +123,26 @@ static void populate_environment(const struct su_context *ctx)
     }
 }
 
+void set_identity(unsigned int uid)
+{
+    /*
+     * Set effective uid back to root, otherwise setres[ug]id will fail
+     * if uid isn't root.
+     */
+    if (seteuid(0)) {
+        PLOGE("seteuid (root)");
+        exit(EXIT_FAILURE);
+    }
+    if (setresgid(uid, uid, uid)) {
+        PLOGE("setresgid (%u)", uid);
+        exit(EXIT_FAILURE);
+    }
+    if (setresuid(uid, uid, uid)) {
+        PLOGE("setresuid (%u)", uid);
+        exit(EXIT_FAILURE);
+    }
+}
+
 static void socket_cleanup(void)
 {
     unlink(socket_path);
@@ -308,25 +328,8 @@ static void allow(const struct su_context *ctx)
         arg0 = p;
     }
 
-    /*
-     * Set effective uid back to root, otherwise setres[ug]id will fail
-     * if ctx->to.uid isn't root.
-     */
-    if (seteuid(0)) {
-        PLOGE("seteuid (root)");
-        exit(EXIT_FAILURE);
-    }
-
     populate_environment(ctx);
-
-    if (setresgid(ctx->to.uid, ctx->to.uid, ctx->to.uid)) {
-        PLOGE("setresgid (%u)", ctx->to.uid);
-        exit(EXIT_FAILURE);
-    }
-    if (setresuid(ctx->to.uid, ctx->to.uid, ctx->to.uid)) {
-        PLOGE("setresuid (%u)", ctx->to.uid);
-        exit(EXIT_FAILURE);
-    }
+	set_identity(ctx->to.uid);
 
 #define PARG(arg)									\
     (ctx->to.optind + (arg) < ctx->to.argc) ? " " : "",					\
@@ -498,6 +501,11 @@ int main(int argc, char *argv[])
         }
     }
 
+    /*
+     * set LD_LIBRARY_PATH if the linker has wiped out it due to we're suid.
+     * This occurs on Android 4.0+
+     */
+    setenv("LD_LIBRARY_PATH", "/vendor/lib:/system/lib", 0);
     if (ctx.from.uid == AID_ROOT || ctx.from.uid == AID_SHELL)
         allow(&ctx);
 
diff --git a/su.h b/su.h
@@ -79,7 +79,7 @@ enum {
 };
 
 extern int database_check(const struct su_context *ctx);
-
+extern void set_identity(unsigned int uid);
 extern int send_intent(const struct su_context *ctx,
                        const char *socket_path, int allow, const char *action);
 
