Farhan/openssh
| Revisión | 2f1b934246c78321625e8cb5af8a48ea2c09992f (tree) |
|---|---|
| Tiempo | 2012-02-09 03:13:07 |
| Autor | Mike Lockwood <lockwood@goog...> |
| Commiter | Mike Lockwood |
Add extra groups and capabilities to shell user
This allows things like logcat, reboot, internet, SD card access, etc. to
work in an ssh shell like it would in an adb shell.
Change-Id: I6c921d9900a09394250c7b1ae0512d1eef3c1187
Signed-off-by: Mike Lockwood <lockwood@google.com>
| @@ -27,6 +27,12 @@ | ||
| 27 | 27 | #include "uidswap.h" |
| 28 | 28 | #include "xmalloc.h" |
| 29 | 29 | |
| 30 | +#ifdef ANDROID | |
| 31 | +#include <private/android_filesystem_config.h> | |
| 32 | +#include <linux/capability.h> | |
| 33 | +#include <linux/prctl.h> | |
| 34 | +#endif | |
| 35 | + | |
| 30 | 36 | /* |
| 31 | 37 | * Note: all these functions must work in all of the following cases: |
| 32 | 38 | * 1. euid=0, ruid=0 |
| @@ -212,6 +218,10 @@ permanently_set_uid(struct passwd *pw) | ||
| 212 | 218 | { |
| 213 | 219 | uid_t old_uid = getuid(); |
| 214 | 220 | gid_t old_gid = getgid(); |
| 221 | +#ifdef ANDROID | |
| 222 | + struct __user_cap_header_struct header; | |
| 223 | + struct __user_cap_data_struct cap; | |
| 224 | +#endif | |
| 215 | 225 | |
| 216 | 226 | if (pw == NULL) |
| 217 | 227 | fatal("permanently_set_uid: no user given"); |
| @@ -220,6 +230,27 @@ permanently_set_uid(struct passwd *pw) | ||
| 220 | 230 | debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, |
| 221 | 231 | (u_int)pw->pw_gid); |
| 222 | 232 | |
| 233 | +#ifdef ANDROID | |
| 234 | + if (pw->pw_uid == AID_SHELL) { | |
| 235 | + prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); | |
| 236 | + | |
| 237 | + /* add extra groups needed for shell user: | |
| 238 | + ** AID_LOG to read system logs (adb logcat) | |
| 239 | + ** AID_INPUT to diagnose input issues (getevent) | |
| 240 | + ** AID_INET to diagnose network issues (netcfg, ping) | |
| 241 | + ** AID_GRAPHICS to access the frame buffer | |
| 242 | + ** AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump) | |
| 243 | + ** AID_SDCARD_RW to allow writing to the SD card | |
| 244 | + ** AID_MOUNT to allow unmounting the SD card before rebooting | |
| 245 | + ** AID_NET_BW_STATS to read out qtaguid statistics | |
| 246 | + */ | |
| 247 | + gid_t groups[] = { AID_LOG, AID_INPUT, AID_INET, AID_GRAPHICS, | |
| 248 | + AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_RW, | |
| 249 | + AID_MOUNT, AID_NET_BW_STATS }; | |
| 250 | + setgroups(sizeof(groups)/sizeof(groups[0]), groups); | |
| 251 | + } | |
| 252 | +#endif | |
| 253 | + | |
| 223 | 254 | #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) |
| 224 | 255 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) |
| 225 | 256 | fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); |
| @@ -285,4 +316,16 @@ permanently_set_uid(struct passwd *pw) | ||
| 285 | 316 | __func__, (u_int)getuid(), (u_int)geteuid(), |
| 286 | 317 | (u_int)pw->pw_uid); |
| 287 | 318 | } |
| 319 | + | |
| 320 | +#ifdef ANDROID | |
| 321 | + if (pw->pw_uid == AID_SHELL) { | |
| 322 | + /* set CAP_SYS_BOOT capability, so "adb reboot" will succeed */ | |
| 323 | + header.version = _LINUX_CAPABILITY_VERSION; | |
| 324 | + header.pid = 0; | |
| 325 | + cap.effective = cap.permitted = (1 << CAP_SYS_BOOT); | |
| 326 | + cap.inheritable = 0; | |
| 327 | + capset(&header, &cap); | |
| 328 | + } | |
| 329 | +#endif | |
| 330 | + | |
| 288 | 331 | } |
Fork
uidswap.c