Skip to content
Browse files

CM specific changes to allow disabling of root access from system set…

…tings
  • Loading branch information...
1 parent 8bf97db commit 538413f2b709edceb62943222e07e9a9dce75163 @ChainsDD committed
Showing with 181 additions and 5 deletions.
  1. +1 −1 Android.mk
  2. +51 −2 su.c
  3. +2 −2 su.h
  4. +103 −0 utils.c
  5. +24 −0 utils.h
View
2 Android.mk
@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := su
-LOCAL_SRC_FILES := su.c db.c activity.c
+LOCAL_SRC_FILES := su.c db.c activity.c utils.c
LOCAL_C_INCLUDES += external/sqlite/dist
View
53 su.c
@@ -38,6 +38,7 @@
#include <cutils/log.h>
#include "su.h"
+#include "utils.h"
/* Still lazt, will fix this */
static char socket_path[PATH_MAX];
@@ -375,8 +376,10 @@ int main(int argc, char *argv[])
};
struct stat st;
int socket_serv_fd, fd;
- char buf[64], *result;
- int c, dballow;
+ char buf[64], *result, debuggable[PROPERTY_VALUE_MAX];
+ char enabled[PROPERTY_VALUE_MAX], build_type[PROPERTY_VALUE_MAX];
+ char cm_version[PROPERTY_VALUE_MAX];;
+ int c, dballow, len;
struct option long_opts[] = {
{ "command", required_argument, NULL, 'c' },
{ "help", no_argument, NULL, 'h' },
@@ -386,6 +389,8 @@ int main(int argc, char *argv[])
{ "version", no_argument, NULL, 'v' },
{ NULL, 0, NULL, 0 },
};
+ char *data;
+ unsigned sz;
while ((c = getopt_long(argc, argv, "+c:hlmps:Vv", long_opts, NULL)) != -1) {
switch(c) {
@@ -450,8 +455,52 @@ int main(int argc, char *argv[])
deny(&ctx);
}
+ // we can't simply use the property service, since we aren't launched from init and
+ // can't trust the location of the property workspace. find the properties ourselves.
+ data = read_file("/default.prop", &sz);
+ get_property(data, debuggable, "ro.debuggable", "0");
+ free(data);
+
+ data = read_file("/system/build.prop", &sz);
+ get_property(data, cm_version, "ro.cm.version", "");
+ get_property(data, build_type, "ro.build.type", "");
+ free(data);
+
+ data = read_file("/data/property/persist.sys.root_access", &sz);
+ if (data != NULL) {
+ len = strlen(data);
+ if (len >= PROPERTY_VALUE_MAX)
+ memcpy(enabled, "1", 2);
+ else
+ memcpy(enabled, data, len + 1);
+ free(data);
+ } else
+ memcpy(enabled, "1", 2);
+
ctx.umask = umask(027);
+ // CyanogenMod-specific behavior
+ if (strlen(cm_version) > 0) {
+ // only allow su on debuggable builds
+ if (strcmp("1", debuggable) != 0) {
+ LOGE("Root access is disabled on non-debug builds");
+ deny(&ctx);
+ }
+
+ // enforce persist.sys.root_access on non-eng builds
+ if (strcmp("eng", build_type) != 0 &&
+ (atoi(enabled) & 1) != 1 ) {
+ LOGE("Root access is disabled by system setting - enable it under settings -> developer options");
+ deny(&ctx);
+ }
+
+ // disallow su in a shell if appropriate
+ if (ctx.from.uid == AID_SHELL && (atoi(enabled) == 1)) {
+ LOGE("Root access is disabled by a system setting - enable it under settings -> developer options");
+ deny(&ctx);
+ }
+ }
+
if (ctx.from.uid == AID_ROOT || ctx.from.uid == AID_SHELL)
allow(&ctx);
View
4 su.h
@@ -42,8 +42,8 @@
#define VERSION_EXTRA ""
#endif
-#define VERSION "3.1" VERSION_EXTRA
-#define VERSION_CODE 16
+#define VERSION "3.1.1" VERSION_EXTRA
+#define VERSION_CODE 17
#define DATABASE_VERSION 6
#define PROTO_VERSION 0
View
103 utils.c
@@ -0,0 +1,103 @@
+/*
+** Copyright 2012, The CyanogenMod Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+
+#include <unistd.h>
+#include <limits.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <endian.h>
+#include <ctype.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <cutils/properties.h>
+
+/* reads a file, making sure it is terminated with \n \0 */
+char* read_file(const char *fn, unsigned *_sz)
+{
+ char *data;
+ int sz;
+ int fd;
+
+ data = 0;
+ fd = open(fn, O_RDONLY);
+ if(fd < 0) return 0;
+
+ sz = lseek(fd, 0, SEEK_END);
+ if(sz < 0) goto oops;
+
+ if(lseek(fd, 0, SEEK_SET) != 0) goto oops;
+
+ data = (char*) malloc(sz + 2);
+ if(data == 0) goto oops;
+
+ if(read(fd, data, sz) != sz) goto oops;
+ close(fd);
+ data[sz] = '\n';
+ data[sz+1] = 0;
+ if(_sz) *_sz = sz;
+ return data;
+
+oops:
+ close(fd);
+ if(data != 0) free(data);
+ return 0;
+}
+
+int get_property(const char *data, char *found, const char *searchkey, const char *not_found)
+{
+ char *key, *value, *eol, *sol, *tmp;
+ if (data == NULL) goto defval;
+ int matched = 0;
+ sol = strdup(data);
+ while((eol = strchr(sol, '\n'))) {
+ key = sol;
+ *eol++ = 0;
+ sol = eol;
+
+ value = strchr(key, '=');
+ if(value == 0) continue;
+ *value++ = 0;
+
+ while(isspace(*key)) key++;
+ if(*key == '#') continue;
+ tmp = value - 2;
+ while((tmp > key) && isspace(*tmp)) *tmp-- = 0;
+
+ while(isspace(*value)) value++;
+ tmp = eol - 2;
+ while((tmp > value) && isspace(*tmp)) *tmp-- = 0;
+
+ if (strncmp(searchkey, key, strlen(searchkey)) == 0) {
+ matched = 1;
+ break;
+ }
+ }
+ int len;
+ if (matched) {
+ len = strlen(value);
+ if (len >= PROPERTY_VALUE_MAX)
+ return -1;
+ memcpy(found, value, len + 1);
+ } else goto defval;
+ return len;
+
+defval:
+ len = strlen(not_found);
+ memcpy(found, not_found, len + 1);
+ return len;
+}
View
24 utils.h
@@ -0,0 +1,24 @@
+/*
+** Copyright 2012, The CyanogenMod Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You may obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+
+#ifndef _UTILS_H_
+#define _UTILS_H_
+
+/* reads a file, making sure it is terminated with \n \0 */
+char* read_file(const char *fn, unsigned *_sz);
+
+int get_property(const char *data, char *found, const char *searchkey, const char *not_found);
+#endif

0 comments on commit 538413f

Please sign in to comment.
Something went wrong with that request. Please try again.