diff options
author | Feng Yu <feny@google.com> | 2016-11-18 21:07:24 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2016-11-18 21:07:30 +0000 |
commit | 40892a1a7f8437911a90e1aab6461e96517cafc9 (patch) | |
tree | cb0ad6495611399165f4bcf2e20899605d8b703d | |
parent | 0b4e333a00a278e77077683de1b00bdce71038f0 (diff) | |
parent | 185ad425340ffdf34295b3e6678fe35a91a23e60 (diff) | |
download | base-40892a1a7f8437911a90e1aab6461e96517cafc9.tar.gz |
Merge changes If5b53f6f,I119e0bfc,If89903a2,Idc4af77d into security-aosp-mnc-mr1-release
* changes:
Zygote: Additional whitelisting for legacy devices.
Zygote: Additional whitelists for runtime overlay / other static resources.
Zygote : Block SIGCHLD during fork.
Fix idmap leak in zygote process
-rw-r--r-- | core/jni/com_android_internal_os_Zygote.cpp | 24 | ||||
-rw-r--r-- | core/jni/fd_utils-inl.h | 50 | ||||
-rw-r--r-- | libs/androidfw/AssetManager.cpp | 1 |
3 files changed, 72 insertions, 3 deletions
diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp index a1fef4a4d963..4f9ea68ade5a 100644 --- a/core/jni/com_android_internal_os_Zygote.cpp +++ b/core/jni/com_android_internal_os_Zygote.cpp @@ -465,6 +465,20 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra SetForkLoad(true); #endif + sigset_t sigchld; + sigemptyset(&sigchld); + sigaddset(&sigchld, SIGCHLD); + + // Temporarily block SIGCHLD during forks. The SIGCHLD handler might + // log, which would result in the logging FDs we close being reopened. + // This would cause failures because the FDs are not whitelisted. + // + // Note that the zygote process is single threaded at this point. + if (sigprocmask(SIG_BLOCK, &sigchld, nullptr) == -1) { + ALOGE("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)); + RuntimeAbort(env, __LINE__, "Call to sigprocmask(SIG_BLOCK, { SIGCHLD }) failed."); + } + // Close any logging related FDs before we start evaluating the list of // file descriptors. __android_log_close(); @@ -496,6 +510,11 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra RuntimeAbort(env, __LINE__, "Unable to reopen whitelisted descriptors."); } + if (sigprocmask(SIG_UNBLOCK, &sigchld, nullptr) == -1) { + ALOGE("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)); + RuntimeAbort(env, __LINE__, "Call to sigprocmask(SIG_UNBLOCK, { SIGCHLD }) failed."); + } + // Keep capabilities across UID change, unless we're staying root. if (uid != 0) { EnableKeepCapabilities(env); @@ -633,6 +652,11 @@ static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArra SetForkLoad(false); #endif + // We blocked SIGCHLD prior to a fork, we unblock it here. + if (sigprocmask(SIG_UNBLOCK, &sigchld, nullptr) == -1) { + ALOGE("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)); + RuntimeAbort(env, __LINE__, "Call to sigprocmask(SIG_UNBLOCK, { SIGCHLD }) failed."); + } } return pid; } diff --git a/core/jni/fd_utils-inl.h b/core/jni/fd_utils-inl.h index a34874512139..064e2ed88afc 100644 --- a/core/jni/fd_utils-inl.h +++ b/core/jni/fd_utils-inl.h @@ -241,9 +241,22 @@ class FileDescriptorInfo { is_sock(false) { } + static bool StartsWith(const std::string& str, const std::string& prefix) { + return str.compare(0, prefix.size(), prefix) == 0; + } + + static bool EndsWith(const std::string& str, const std::string& suffix) { + if (suffix.size() > str.size()) { + return false; + } + + return str.compare(str.size() - suffix.size(), suffix.size(), suffix) == 0; + } + // Returns true iff. a given path is whitelisted. A path is whitelisted // if it belongs to the whitelist (see kPathWhitelist) or if it's a path - // under /system/framework that ends with ".jar". + // under /system/framework that ends with ".jar" or if it is a system + // framework overlay. static bool IsWhitelisted(const std::string& path) { for (size_t i = 0; i < (sizeof(kPathWhitelist) / sizeof(kPathWhitelist[0])); ++i) { if (kPathWhitelist[i] == path) { @@ -253,10 +266,41 @@ class FileDescriptorInfo { static const std::string kFrameworksPrefix = "/system/framework/"; static const std::string kJarSuffix = ".jar"; - if (path.compare(0, kFrameworksPrefix.size(), kFrameworksPrefix) == 0 && - path.compare(path.size() - kJarSuffix.size(), kJarSuffix.size(), kJarSuffix) == 0) { + if (StartsWith(path, kFrameworksPrefix) && EndsWith(path, kJarSuffix)) { return true; } + + // Whitelist files needed for Runtime Resource Overlay, like these: + // /system/vendor/overlay/framework-res.apk + // /system/vendor/overlay-subdir/pg/framework-res.apk + // /data/resource-cache/system@vendor@overlay@framework-res.apk@idmap + // /data/resource-cache/system@vendor@overlay-subdir@pg@framework-res.apk@idmap + // See AssetManager.cpp for more details on overlay-subdir. + static const std::string kOverlayDir = "/system/vendor/overlay/"; + static const std::string kVendorOverlayDir = "/vendor/overlay"; + static const std::string kOverlaySubdir = "/system/vendor/overlay-subdir/"; + static const std::string kApkSuffix = ".apk"; + + if ((StartsWith(path, kOverlayDir) || StartsWith(path, kOverlaySubdir) + || StartsWith(path, kVendorOverlayDir)) + && EndsWith(path, kApkSuffix) + && path.find("/../") == std::string::npos) { + return true; + } + + static const std::string kOverlayIdmapPrefix = "/data/resource-cache/"; + static const std::string kOverlayIdmapSuffix = ".apk@idmap"; + if (StartsWith(path, kOverlayIdmapPrefix) && EndsWith(path, kOverlayIdmapSuffix) + && path.find("/../") == std::string::npos) { + return true; + } + + // All regular files that are placed under this path are whitelisted automatically. + static const std::string kZygoteWhitelistPath = "/vendor/zygote_whitelist/"; + if (StartsWith(path, kZygoteWhitelistPath) && path.find("/../") == std::string::npos) { + return true; + } + return false; } diff --git a/libs/androidfw/AssetManager.cpp b/libs/androidfw/AssetManager.cpp index 2dc1c96259c0..1a27d67c3732 100644 --- a/libs/androidfw/AssetManager.cpp +++ b/libs/androidfw/AssetManager.cpp @@ -814,6 +814,7 @@ void AssetManager::addSystemOverlays(const char* pathOverlaysList, sharedRes->add(oass, oidmap, offset + 1, false); const_cast<AssetManager*>(this)->mAssetPaths.add(oap); const_cast<AssetManager*>(this)->mZipSet.addOverlay(targetPackagePath, oap); + delete oidmap; } } fclose(fin); |