1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
|
/*
* Copyright (C) 2007 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* This file is used to define the properties of the filesystem
** images generated by build tools (mkbootfs and mkyaffs2image) and
** by the device side of adb.
*/
#ifndef _ANDROID_FILESYSTEM_CONFIG_H_
#define _ANDROID_FILESYSTEM_CONFIG_H_
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <stdint.h>
#if defined(__ANDROID__)
#include <linux/capability.h>
#else
#include "android_filesystem_capability.h"
#endif
#define CAP_MASK_LONG(cap_name) (1ULL << (cap_name))
/* This is the master Users and Groups config for the platform.
* DO NOT EVER RENUMBER
*/
#define AID_ROOT 0 /* traditional unix root user */
#define AID_SYSTEM 1000 /* system server */
#define AID_RADIO 1001 /* telephony subsystem, RIL */
#define AID_BLUETOOTH 1002 /* bluetooth subsystem */
#define AID_GRAPHICS 1003 /* graphics devices */
#define AID_INPUT 1004 /* input devices */
#define AID_AUDIO 1005 /* audio devices */
#define AID_CAMERA 1006 /* camera devices */
#define AID_LOG 1007 /* log devices */
#define AID_COMPASS 1008 /* compass device */
#define AID_MOUNT 1009 /* mountd socket */
#define AID_WIFI 1010 /* wifi subsystem */
#define AID_ADB 1011 /* android debug bridge (adbd) */
#define AID_INSTALL 1012 /* group for installing packages */
#define AID_MEDIA 1013 /* mediaserver process */
#define AID_DHCP 1014 /* dhcp client */
#define AID_SDCARD_RW 1015 /* external storage write access */
#define AID_VPN 1016 /* vpn system */
#define AID_KEYSTORE 1017 /* keystore subsystem */
#define AID_USB 1018 /* USB devices */
#define AID_DRM 1019 /* DRM server */
#define AID_MDNSR 1020 /* MulticastDNSResponder (service discovery) */
#define AID_GPS 1021 /* GPS daemon */
#define AID_UNUSED1 1022 /* deprecated, DO NOT USE */
#define AID_MEDIA_RW 1023 /* internal media storage write access */
#define AID_MTP 1024 /* MTP USB driver access */
#define AID_UNUSED2 1025 /* deprecated, DO NOT USE */
#define AID_DRMRPC 1026 /* group for drm rpc */
#define AID_NFC 1027 /* nfc subsystem */
#define AID_SDCARD_R 1028 /* external storage read access */
#define AID_CLAT 1029 /* clat part of nat464 */
#define AID_LOOP_RADIO 1030 /* loop radio devices */
#define AID_MEDIA_DRM 1031 /* MediaDrm plugins */
#define AID_PACKAGE_INFO 1032 /* access to installed package details */
#define AID_SDCARD_PICS 1033 /* external storage photos access */
#define AID_SDCARD_AV 1034 /* external storage audio/video access */
#define AID_SDCARD_ALL 1035 /* access all users external storage */
#define AID_LOGD 1036 /* log daemon */
#define AID_SHARED_RELRO 1037 /* creator of shared GNU RELRO files */
#define AID_DBUS 1038 /* dbus-daemon IPC broker process */
#define AID_TLSDATE 1039 /* tlsdate unprivileged user */
#define AID_MEDIA_EX 1040 /* mediaextractor process */
#define AID_AUDIOSERVER 1041 /* audioserver process */
#define AID_METRICS_COLL 1042 /* metrics_collector process */
#define AID_METRICSD 1043 /* metricsd process */
#define AID_WEBSERV 1044 /* webservd process */
#define AID_DEBUGGERD 1045 /* debuggerd unprivileged user */
#define AID_MEDIA_CODEC 1046 /* mediacodec process */
#define AID_CAMERASERVER 1047 /* cameraserver process */
#define AID_FIREWALL 1048 /* firewalld process */
#define AID_TRUNKS 1049 /* trunksd process (TPM daemon) */
#define AID_NVRAM 1050 /* Access-controlled NVRAM */
#define AID_DNS 1051 /* DNS resolution daemon (system: netd) */
#define AID_DNS_TETHER 1052 /* DNS resolution daemon (tether: dnsmasq) */
#define AID_WEBVIEW_ZYGOTE 1053 /* WebView zygote process */
#define AID_VEHICLE_NETWORK 1054 /* Vehicle network service */
/* Changes to this file must be made in AOSP, *not* in internal branches. */
#define AID_THEMEMAN 1300 /* theme manager */
#define AID_AUDIT 1301 /* audit daemon */
#define AID_SHELL 2000 /* adb and debug shell user */
#define AID_CACHE 2001 /* cache access */
#define AID_DIAG 2002 /* access to diagnostic resources */
/* The range 2900-2999 is reserved for OEM, and must never be
* used here */
#define AID_OEM_RESERVED_START 2900
#if !defined(QCOM_LEGACY_UIDS)
#define AID_QCOM_DIAG 2950 /* access to QTI diagnostic resources */
#define AID_RFS 2951 /* Remote Filesystem for peripheral processors */
#define AID_RFS_SHARED 2952 /* Shared files for Remote Filesystem for peripheral processors */
#endif
#define AID_OEM_RESERVED_END 2999
/* The 3000 series are intended for use as supplemental group id's only.
* They indicate special Android capabilities that the kernel is aware of. */
#define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
#define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */
#define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
#define AID_NET_RAW 3004 /* can create raw INET sockets */
#define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */
#define AID_NET_BW_STATS 3006 /* read bandwidth statistics */
#define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */
#define AID_NET_BT_STACK 3008 /* bluetooth: access config files */
#define AID_READPROC 3009 /* Allow /proc read access */
#define AID_WAKELOCK 3010 /* Allow system wakelock read/write access */
#if defined(QCOM_LEGACY_UIDS)
#define AID_QCOM_ONCRPC 3011 /* can read/write /dev/oncrpc files */
#define AID_QCOM_DIAG 3012 /* can read/write /dev/diag */
#else
#define AID_SENSORS 3011 /* access to /dev/socket/sensor_ctl_socket & QCCI/QCSI */
#define AID_IMS 3012 /* can read/write /dev/socket/imsrtp */
#define AID_RFS_OLD 3013 /* DEPRECATED OLD ID FOR RFS, DO NOT USE */
#define AID_RFS_SHARED_OLD 3014 /* DEPRECATED OLD ID FOR RFS-SHARED */
#endif
/* The range 5000-5999 is also reserved for OEM, and must never be used here. */
#define AID_OEM_RESERVED_2_START 5000
#define AID_OEM_RESERVED_2_END 5999
#if defined(MOTOROLA_UIDS)
#define AID_MOT_OSH 5000 /* OSH */
#define AID_MOT_ACCY 9000 /* access to accessory */
#define AID_MOT_PWRIC 9001 /* power IC */
#define AID_MOT_USB 9002 /* mot usb */
#define AID_MOT_DRM 9003 /* can access DRM resource. */
#define AID_MOT_TCMD 9004 /* mot_tcmd */
#define AID_MOT_SEC_RTC 9005 /* mot cpcap rtc */
#define AID_MOT_TOMBSTONE 9006
#define AID_MOT_TPAPI 9007 /* mot_tpapi */
#define AID_MOT_SECCLKD 9008 /* mot_secclkd */
#define AID_MOT_WHISPER 9009 /* Whisper Protocol access */
#define AID_MOT_CAIF 9010 /* can create CAIF sockets */
#define AID_MOT_DLNA 9011 /* DLNA native */
#endif // MOTOROLA_UIDS
#define AID_EVERYBODY 9997 /* shared between all apps in the same profile */
#define AID_MISC 9998 /* access to misc storage */
#define AID_NOBODY 9999
#define AID_APP 10000 /* first app user */
#define AID_ISOLATED_START 99000 /* start of uids for fully isolated sandboxed processes */
#define AID_ISOLATED_END 99999 /* end of uids for fully isolated sandboxed processes */
#define AID_USER 100000 /* offset for uid ranges for each user */
#define AID_SHARED_GID_START 50000 /* start of gids for apps in each user to share */
#define AID_SHARED_GID_END 59999 /* start of gids for apps in each user to share */
#if !defined(EXCLUDE_FS_CONFIG_STRUCTURES)
struct android_id_info {
const char *name;
unsigned aid;
};
static const struct android_id_info android_ids[] = {
{ "root", AID_ROOT, },
{ "system", AID_SYSTEM, },
{ "radio", AID_RADIO, },
{ "bluetooth", AID_BLUETOOTH, },
{ "graphics", AID_GRAPHICS, },
{ "input", AID_INPUT, },
{ "audio", AID_AUDIO, },
{ "camera", AID_CAMERA, },
{ "log", AID_LOG, },
{ "compass", AID_COMPASS, },
{ "mount", AID_MOUNT, },
{ "wifi", AID_WIFI, },
{ "adb", AID_ADB, },
{ "install", AID_INSTALL, },
{ "media", AID_MEDIA, },
{ "dhcp", AID_DHCP, },
{ "sdcard_rw", AID_SDCARD_RW, },
{ "vpn", AID_VPN, },
{ "keystore", AID_KEYSTORE, },
{ "usb", AID_USB, },
{ "drm", AID_DRM, },
{ "mdnsr", AID_MDNSR, },
{ "gps", AID_GPS, },
// AID_UNUSED1
{ "media_rw", AID_MEDIA_RW, },
{ "mtp", AID_MTP, },
// AID_UNUSED2
{ "drmrpc", AID_DRMRPC, },
{ "nfc", AID_NFC, },
{ "sdcard_r", AID_SDCARD_R, },
{ "clat", AID_CLAT, },
{ "loop_radio", AID_LOOP_RADIO, },
#if defined(QCOM_LEGACY_UIDS)
{ "qcom_oncrpc", AID_QCOM_ONCRPC, },
#endif
{ "mediadrm", AID_MEDIA_DRM, },
{ "package_info", AID_PACKAGE_INFO, },
{ "sdcard_pics", AID_SDCARD_PICS, },
{ "sdcard_av", AID_SDCARD_AV, },
{ "sdcard_all", AID_SDCARD_ALL, },
{ "logd", AID_LOGD, },
{ "shared_relro", AID_SHARED_RELRO, },
{ "dbus", AID_DBUS, },
{ "tlsdate", AID_TLSDATE, },
{ "mediaex", AID_MEDIA_EX, },
{ "audioserver", AID_AUDIOSERVER, },
{ "metrics_coll", AID_METRICS_COLL },
{ "metricsd", AID_METRICSD },
{ "webserv", AID_WEBSERV },
{ "debuggerd", AID_DEBUGGERD, },
{ "mediacodec", AID_MEDIA_CODEC, },
{ "cameraserver", AID_CAMERASERVER, },
{ "firewall", AID_FIREWALL, },
{ "trunks", AID_TRUNKS, },
{ "nvram", AID_NVRAM, },
{ "dns", AID_DNS, },
{ "dns_tether", AID_DNS_TETHER, },
{ "webview_zygote", AID_WEBVIEW_ZYGOTE, },
{ "vehicle_network", AID_VEHICLE_NETWORK, },
{ "shell", AID_SHELL, },
{ "cache", AID_CACHE, },
{ "diag", AID_DIAG, },
{ "qcom_diag", AID_QCOM_DIAG, },
{ "net_bt_admin", AID_NET_BT_ADMIN, },
{ "net_bt", AID_NET_BT, },
{ "inet", AID_INET, },
{ "net_raw", AID_NET_RAW, },
{ "net_admin", AID_NET_ADMIN, },
{ "net_bw_stats", AID_NET_BW_STATS, },
{ "net_bw_acct", AID_NET_BW_ACCT, },
{ "net_bt_stack", AID_NET_BT_STACK, },
{ "readproc", AID_READPROC, },
{ "wakelock", AID_WAKELOCK, },
#if !defined(QCOM_LEGACY_UIDS)
{ "ims", AID_IMS, },
#endif
#if !defined(QCOM_LEGACY_UIDS)
{ "sensors", AID_SENSORS, },
{ "rfs", AID_RFS, },
{ "rfs_shared", AID_RFS_SHARED, },
#endif
#if !defined(QCOM_LEGACY_UIDS)
{ "rfs_old", AID_RFS_OLD, },
{ "rfs_shared_old", AID_RFS_SHARED_OLD, },
#endif
#if defined(MOTOROLA_UIDS)
{ "mot_osh", AID_MOT_OSH, },
{ "mot_accy", AID_MOT_ACCY, },
{ "mot_pwric", AID_MOT_PWRIC, },
{ "mot_usb", AID_MOT_USB, },
{ "mot_drm", AID_MOT_DRM, },
{ "mot_tcmd", AID_MOT_TCMD, },
{ "mot_sec_rtc", AID_MOT_SEC_RTC, },
{ "mot_tombstone", AID_MOT_TOMBSTONE, },
{ "mot_tpapi", AID_MOT_TPAPI, },
{ "mot_secclkd", AID_MOT_SECCLKD, },
{ "mot_whisper", AID_MOT_WHISPER, },
{ "mot_caif", AID_MOT_CAIF, },
{ "mot_dlna", AID_MOT_DLNA, },
#endif
{ "everybody", AID_EVERYBODY, },
{ "misc", AID_MISC, },
{ "nobody", AID_NOBODY, },
{ "theme_man", AID_THEMEMAN },
{ "audit", AID_AUDIT, },
};
#define android_id_count \
(sizeof(android_ids) / sizeof(android_ids[0]))
struct fs_path_config {
unsigned mode;
unsigned uid;
unsigned gid;
uint64_t capabilities;
const char *prefix;
};
/* Rules for directories.
** These rules are applied based on "first match", so they
** should start with the most specific path and work their
** way up to the root.
*/
static const struct fs_path_config android_dirs[] = {
/* SuperSU ramdisk special directories */
{ 00000, AID_ROOT, AID_ROOT, 0, ".subackup" },
{ 00000, AID_ROOT, AID_ROOT, 0, ".sufrp" },
{ 00000, AID_ROOT, AID_ROOT, 0, "boot/.sufrp" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "boot/bt_firmware" },
{ 00500, AID_ROOT, AID_ROOT, 0, "boot/config" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "boot/data" },
{ 00755, AID_ROOT, AID_SYSTEM, 0, "boot/mnt" },
{ 00750, AID_ROOT, AID_SHELL, 0, "boot/sbin" },
{ 00751, AID_ROOT, AID_SDCARD_R, 0, "boot/storage" },
{ 00755, AID_ROOT, AID_SHELL, 0, "boot/vendor" },
{ 00770, AID_SYSTEM, AID_CACHE, 0, "cache" },
{ 00500, AID_ROOT, AID_ROOT, 0, "config" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-ephemeral" },
{ 00771, AID_ROOT, AID_ROOT, 0, "data/dalvik-cache" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/data" },
{ 00771, AID_SHELL, AID_SHELL, 0, "data/local/tmp" },
{ 00771, AID_SHELL, AID_SHELL, 0, "data/local" },
{ 01771, AID_SYSTEM, AID_MISC, 0, "data/misc" },
{ 00770, AID_DHCP, AID_DHCP, 0, "data/misc/dhcp" },
{ 00771, AID_SHARED_RELRO, AID_SHARED_RELRO, 0, "data/misc/shared_relro" },
{ 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media" },
{ 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/Music" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest64" },
{ 00775, AID_ROOT, AID_ROOT, 0, "data/preloads" },
{ 00771, AID_SYSTEM, AID_SYSTEM, 0, "data" },
{ 00755, AID_ROOT, AID_SYSTEM, 0, "mnt" },
{ 00755, AID_ROOT, AID_ROOT, 0, "root" },
{ 00750, AID_ROOT, AID_SHELL, 0, "sbin" },
{ 00751, AID_ROOT, AID_SDCARD_R, 0, "storage" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/addon.d" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/vendor" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/xbin" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/etc/ppp" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/etc" },
{ 00755, AID_ROOT, AID_SHELL, 0, "vendor" },
{ 00777, AID_ROOT, AID_ROOT, 0, "sdcard" },
{ 00755, AID_ROOT, AID_ROOT, 0, 0 },
};
/* Rules for files.
** These rules are applied based on "first match", so they
** should start with the most specific path and work their
** way up to the root. Prefixes ending in * denotes wildcard
** and will allow partial matches.
*/
static const struct fs_path_config android_files[] = {
/* Motorola ramdisk special files */
{ 00755, AID_ROOT, AID_ROOT, 0, "init.class_main.sh" },
{ 00400, AID_ROOT, AID_ROOT, 0, "module_hashes" },
{ 00750, AID_ROOT, AID_ROOT, 0, "xbin/qe" },
/* SuperSU ramdisk special files */
{ 00640, AID_ROOT, AID_ROOT, 0, ".subackup/0001_fstab.*" },
{ 00750, AID_ROOT, AID_ROOT, 0, ".subackup/0001_init*" },
{ 00750, AID_ROOT, AID_ROOT, 0, ".subackup/0002_init*" },
{ 00750, AID_ROOT, AID_ROOT, 0, ".subackup/0003_init*" },
{ 00755, AID_ROOT, AID_ROOT, 0, ".sufrp/frp_install" },
{ 00700, AID_ROOT, AID_ROOT, 0, "sbin/launch_daemonsu.sh" },
{ 00750, AID_ROOT, AID_ROOT, 0, "init.environ.rc" },
{ 00750, AID_ROOT, AID_ROOT, 0, "init.rc" },
{ 00750, AID_ROOT, AID_ROOT, 0, "init.supersu.rc" },
{ 00755, AID_ROOT, AID_ROOT, 0, "boot/.sufrp/frp_install" },
{ 00700, AID_ROOT, AID_ROOT, 0, "boot/sbin/launch_daemonsu.sh" },
{ 00750, AID_ROOT, AID_SHELL, 0, "boot/sbin/*" },
{ 00640, AID_ROOT, AID_SHELL, 0, "boot/fstab.*" },
{ 00750, AID_ROOT, AID_ROOT, 0, "boot/init.environ.rc" },
{ 00750, AID_ROOT, AID_ROOT, 0, "boot/init.rc" },
{ 00750, AID_ROOT, AID_ROOT, 0, "boot/init.supersu.rc" },
{ 00750, AID_ROOT, AID_SHELL, 0, "boot/init*" },
{ 00440, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.rc" },
{ 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.sh" },
{ 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.ril" },
{ 00550, AID_DHCP, AID_SHELL, 0, "system/etc/dhcpcd/dhcpcd-run-hooks" },
{ 00555, AID_ROOT, AID_ROOT, 0, "system/etc/ppp/*" },
{ 00555, AID_ROOT, AID_ROOT, 0, "system/etc/rc.*" },
{ 00440, AID_ROOT, AID_ROOT, 0, "system/etc/recovery.img" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/addon.d/*" },
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app/*" },
{ 00644, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/*" },
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private/*" },
{ 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-ephemeral/*" },
{ 00644, AID_APP, AID_APP, 0, "data/data/*" },
{ 00640, AID_ROOT, AID_SHELL, 0, "data/nativetest/tests.txt" },
{ 00640, AID_ROOT, AID_SHELL, 0, "data/nativetest64/tests.txt" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest/*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest64/*" },
/* CM's daemonized su doesn't need the setuid bit */
{ 00755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
/* the following files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
/* the following files have enhanced capabilities and ARE included in user builds. */
{ 00550, AID_LOGD, AID_LOGD, CAP_MASK_LONG(CAP_SYSLOG) |
CAP_MASK_LONG(CAP_AUDIT_CONTROL) |
CAP_MASK_LONG(CAP_SETGID),
"system/bin/logd" },
{ 00750, AID_ROOT, AID_SHELL, CAP_MASK_LONG(CAP_SETUID) |
CAP_MASK_LONG(CAP_SETGID),
"system/bin/run-as" },
{ 00700, AID_SYSTEM, AID_SHELL, CAP_MASK_LONG(CAP_BLOCK_SUSPEND),
"system/bin/inputflinger" },
/* Support FIFO scheduling mode in SurfaceFlinger. */
{ 00755, AID_SYSTEM, AID_GRAPHICS, CAP_MASK_LONG(CAP_SYS_NICE),
"system/bin/surfaceflinger" },
/* Support hostapd administering a network interface. */
{ 00755, AID_WIFI, AID_WIFI, CAP_MASK_LONG(CAP_NET_ADMIN) |
CAP_MASK_LONG(CAP_NET_RAW),
"system/bin/hostapd" },
/* Support wifi_hal_legacy administering a network interface. */
{ 00755, AID_WIFI, AID_WIFI, CAP_MASK_LONG(CAP_NET_ADMIN) |
CAP_MASK_LONG(CAP_NET_RAW),
"system/bin/hw/android.hardware.wifi@1.0-service" },
/* A non-privileged zygote that spawns isolated processes for web rendering. */
{ 0750, AID_ROOT, AID_ROOT, CAP_MASK_LONG(CAP_SETUID) |
CAP_MASK_LONG(CAP_SETGID) |
CAP_MASK_LONG(CAP_SETPCAP),
"system/bin/webview_zygote32" },
{ 0750, AID_ROOT, AID_ROOT, CAP_MASK_LONG(CAP_SETUID) |
CAP_MASK_LONG(CAP_SETGID) |
CAP_MASK_LONG(CAP_SETPCAP),
"system/bin/webview_zygote64" },
{ 00750, AID_ROOT, AID_ROOT, 0, "system/bin/uncrypt" },
{ 00750, AID_ROOT, AID_ROOT, 0, "system/bin/install-recovery.sh" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/etc/init.d/*" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/lib/valgrind/*" },
{ 00755, AID_ROOT, AID_ROOT, 0, "system/lib64/valgrind/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/xbin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/vendor/bin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/vendor/xbin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "vendor/bin/*" },
{ 00755, AID_ROOT, AID_SHELL, 0, "vendor/xbin/*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "sbin/*" },
{ 00755, AID_ROOT, AID_ROOT, 0, "bin/*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "init*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "charger*" },
{ 00750, AID_ROOT, AID_SHELL, 0, "sbin/fs_mgr" },
{ 00640, AID_ROOT, AID_SHELL, 0, "fstab.*" },
{ 00644, AID_ROOT, AID_ROOT, 0, 0 },
};
static inline void fs_config(const char *path, int dir, const char *target_out_path,
unsigned *uid, unsigned *gid, unsigned *mode, uint64_t *capabilities)
{
const struct fs_path_config *pc;
int plen;
if (path[0] == '/') {
path++;
}
pc = dir ? android_dirs : android_files;
plen = strlen(path);
for(; pc->prefix; pc++){
int len = strlen(pc->prefix);
if (dir) {
if(plen < len) continue;
if(!strncmp(pc->prefix, path, len)) break;
continue;
}
/* If name ends in * then allow partial matches. */
if (pc->prefix[len -1] == '*') {
if(!strncmp(pc->prefix, path, len - 1)) break;
} else if (plen == len){
if(!strncmp(pc->prefix, path, len)) break;
}
}
*uid = pc->uid;
*gid = pc->gid;
*mode = (*mode & (~07777)) | pc->mode;
*capabilities = pc->capabilities;
#if 0
fprintf(stderr,"< '%s' '%s' %d %d %o >\n",
path, pc->prefix ? pc->prefix : "", *uid, *gid, *mode);
#endif
}
ssize_t fs_config_generate(char *buffer, size_t length, const struct fs_path_config *pc);
#endif
#endif
|
