1*795d594fSAndroid Build Coastguard Worker /* 2*795d594fSAndroid Build Coastguard Worker * Copyright (C) 2018 The Android Open Source Project 3*795d594fSAndroid Build Coastguard Worker * 4*795d594fSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*795d594fSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*795d594fSAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*795d594fSAndroid Build Coastguard Worker * 8*795d594fSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*795d594fSAndroid Build Coastguard Worker * 10*795d594fSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*795d594fSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*795d594fSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*795d594fSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*795d594fSAndroid Build Coastguard Worker * limitations under the License. 15*795d594fSAndroid Build Coastguard Worker */ 16*795d594fSAndroid Build Coastguard Worker 17*795d594fSAndroid Build Coastguard Worker #include "socket_peer_is_trusted.h" 18*795d594fSAndroid Build Coastguard Worker 19*795d594fSAndroid Build Coastguard Worker #if !defined(_WIN32) 20*795d594fSAndroid Build Coastguard Worker #include <pwd.h> 21*795d594fSAndroid Build Coastguard Worker #include <sys/socket.h> 22*795d594fSAndroid Build Coastguard Worker #endif 23*795d594fSAndroid Build Coastguard Worker 24*795d594fSAndroid Build Coastguard Worker #include <android-base/logging.h> 25*795d594fSAndroid Build Coastguard Worker 26*795d594fSAndroid Build Coastguard Worker namespace art { 27*795d594fSAndroid Build Coastguard Worker 28*795d594fSAndroid Build Coastguard Worker // Returns true if the user on the other end of the socket is root or shell. 29*795d594fSAndroid Build Coastguard Worker #ifdef ART_TARGET_ANDROID SocketPeerIsTrusted(int fd)30*795d594fSAndroid Build Coastguard Workerbool SocketPeerIsTrusted(int fd) { 31*795d594fSAndroid Build Coastguard Worker ucred cr; 32*795d594fSAndroid Build Coastguard Worker socklen_t cr_length = sizeof(cr); 33*795d594fSAndroid Build Coastguard Worker if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_length) != 0) { 34*795d594fSAndroid Build Coastguard Worker PLOG(ERROR) << "couldn't get socket credentials"; 35*795d594fSAndroid Build Coastguard Worker return false; 36*795d594fSAndroid Build Coastguard Worker } 37*795d594fSAndroid Build Coastguard Worker 38*795d594fSAndroid Build Coastguard Worker passwd* shell = getpwnam("shell"); 39*795d594fSAndroid Build Coastguard Worker if (cr.uid != 0 && cr.uid != shell->pw_uid) { 40*795d594fSAndroid Build Coastguard Worker LOG(ERROR) << "untrusted uid " << cr.uid << " on other end of socket"; 41*795d594fSAndroid Build Coastguard Worker return false; 42*795d594fSAndroid Build Coastguard Worker } 43*795d594fSAndroid Build Coastguard Worker 44*795d594fSAndroid Build Coastguard Worker return true; 45*795d594fSAndroid Build Coastguard Worker } 46*795d594fSAndroid Build Coastguard Worker #else 47*795d594fSAndroid Build Coastguard Worker bool SocketPeerIsTrusted(int /* fd */) { 48*795d594fSAndroid Build Coastguard Worker return true; 49*795d594fSAndroid Build Coastguard Worker } 50*795d594fSAndroid Build Coastguard Worker #endif 51*795d594fSAndroid Build Coastguard Worker 52*795d594fSAndroid Build Coastguard Worker } // namespace art 53