libc: make system properties more secure.

Currently, system properties are passed via the environment variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed from parent to child. This is insecure for setuid executables, as the environment variable can be changed by the caller. Modify system property handling so that we get the properties from a root owned properties file, rather than using an environment variable. Related to bug: 8029617 Change-Id: I5717e51f20f9e4339ed0a1fdf2fc797e52670fbb
2013-01-18 14:26:55 -08:00 · 2013-01-18 14:26:55 -08:00 · f10c5a2215
commit f10c5a2215
parent bf1d225593
2 changed files with 16 additions and 14 deletions
--- a/libc/bionic/system_properties.c
+++ b/libc/bionic/system_properties.c
@ -31,6 +31,7 @@
 #include <stddef.h>
 #include <errno.h>
 #include <poll.h>
+#include <fcntl.h>

 #include <sys/mman.h>

@ -38,6 +39,7 @@
 #include <sys/un.h>
 #include <sys/select.h>
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <netinet/in.h>
 #include <unistd.h>

@ -55,33 +57,34 @@ prop_area *__system_property_area__ = (void*) &dummy_props;
 int __system_properties_init(void)
 {
    prop_area *pa;
-    int s, fd;
-    unsigned sz;
-    char *env;
+    int fd;
+    struct stat fd_stat;

    if(__system_property_area__ != ((void*) &dummy_props)) {
        return 0;
    }

-    env = getenv("ANDROID_PROPERTY_WORKSPACE");
-    if (!env) {
+    fd = open(PROP_FILENAME, O_RDONLY | O_NOFOLLOW);
+
+    if (fd < 0) {
        return -1;
    }
-    fd = atoi(env);
-    env = strchr(env, ',');
-    if (!env) {
+
+    if (fstat(fd, &fd_stat) < 0) {
+        close(fd);
        return -1;
    }
-    sz = atoi(env + 1);
-    
-    pa = mmap(0, sz, PROT_READ, MAP_SHARED, fd, 0);
+
+    pa = mmap(0, fd_stat.st_size, PROT_READ, MAP_SHARED, fd, 0);
+
+    close(fd);
    
    if(pa == MAP_FAILED) {
        return -1;
    }

    if((pa->magic != PROP_AREA_MAGIC) || (pa->version != PROP_AREA_VERSION)) {
-        munmap(pa, sz);
+        munmap(pa, fd_stat.st_size);
        return -1;
    }

@ -218,8 +221,6 @@ static int send_prop_msg(prop_msg *msg)
 int __system_property_set(const char *key, const char *value)
 {
    int err;
-    int tries = 0;
-    int update_seen = 0;
    prop_msg msg;

    if(key == 0) return -1;
--- a/libc/include/sys/_system_properties.h
+++ b/libc/include/sys/_system_properties.h
@ -41,6 +41,7 @@ typedef struct prop_msg prop_msg;
 #define PROP_AREA_VERSION 0x45434f76

 #define PROP_SERVICE_NAME "property_service"
+#define PROP_FILENAME "/dev/__properties__"

 /* #define PROP_MAX_ENTRIES 247 */
 /* 247 -> 32620 bytes (<32768) */