Merge "adbd: remove ifdefs guarding root/secure."

This commit is contained in:
Josh Gao 2020-06-09 20:05:29 +00:00 committed by Gerrit Code Review
commit 536f220f55
2 changed files with 5 additions and 37 deletions

View File

@ -25,7 +25,6 @@ cc_defaults {
"-Wthread-safety", "-Wthread-safety",
"-Wvla", "-Wvla",
"-DADB_HOST=1", // overridden by adbd_defaults "-DADB_HOST=1", // overridden by adbd_defaults
"-DALLOW_ADBD_ROOT=0", // overridden by adbd_defaults
"-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1", "-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1",
], ],
cpp_std: "experimental", cpp_std: "experimental",
@ -81,16 +80,6 @@ cc_defaults {
defaults: ["adb_defaults"], defaults: ["adb_defaults"],
cflags: ["-UADB_HOST", "-DADB_HOST=0"], cflags: ["-UADB_HOST", "-DADB_HOST=0"],
product_variables: {
debuggable: {
cflags: [
"-UALLOW_ADBD_ROOT",
"-DALLOW_ADBD_ROOT=1",
"-DALLOW_ADBD_DISABLE_VERITY",
"-DALLOW_ADBD_NO_AUTH",
],
},
},
} }
cc_defaults { cc_defaults {

View File

@ -62,23 +62,7 @@
#if defined(__ANDROID__) #if defined(__ANDROID__)
static const char* root_seclabel = nullptr; static const char* root_seclabel = nullptr;
static inline bool is_device_unlocked() {
return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
}
static bool should_drop_capabilities_bounding_set() {
if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
if (__android_log_is_debuggable()) {
return false;
}
}
return true;
}
static bool should_drop_privileges() { static bool should_drop_privileges() {
// "adb root" not allowed, always drop privileges.
if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
// The properties that affect `adb root` and `adb unroot` are ro.secure and // The properties that affect `adb root` and `adb unroot` are ro.secure and
// ro.debuggable. In this context the names don't make the expected behavior // ro.debuggable. In this context the names don't make the expected behavior
// particularly obvious. // particularly obvious.
@ -132,7 +116,7 @@ static void drop_privileges(int server_port) {
// Don't listen on a port (default 5037) if running in secure mode. // Don't listen on a port (default 5037) if running in secure mode.
// Don't run as root if running in secure mode. // Don't run as root if running in secure mode.
if (should_drop_privileges()) { if (should_drop_privileges()) {
const bool should_drop_caps = should_drop_capabilities_bounding_set(); const bool should_drop_caps = !__android_log_is_debuggable();
if (should_drop_caps) { if (should_drop_caps) {
minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
@ -218,15 +202,10 @@ int adbd_main(int server_port) {
// descriptor will always be open. // descriptor will always be open.
adbd_cloexec_auth_socket(); adbd_cloexec_auth_socket();
#if defined(__ANDROID_RECOVERY__) #if defined(__ANDROID__)
if (is_device_unlocked() || __android_log_is_debuggable()) { // If we're on userdebug/eng or the device is unlocked, permit no-authentication.
auth_required = false; bool device_unlocked = "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
} if (__android_log_is_debuggable() || device_unlocked) {
#elif defined(ALLOW_ADBD_NO_AUTH)
// If ro.adb.secure is unset, default to no authentication required.
auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
#elif defined(__ANDROID__)
if (is_device_unlocked()) { // allows no authentication when the device is unlocked.
auth_required = android::base::GetBoolProperty("ro.adb.secure", false); auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
} }
#endif #endif