├── .gitignore ├── .github └── FUNDING.yml ├── Makefile ├── NOTICE ├── private ├── android_filesystem_capability.h └── android_filesystem_config.h └── mkbootfs.c /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.exe 3 | mkbootfs 4 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: osm0sis # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: https://www.paypal.me/osm0sis # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | ifeq ($(CC),cc) 2 | CC = gcc 3 | endif 4 | AR = ar rc 5 | ifeq ($(windir),) 6 | EXT = 7 | RM = rm -f 8 | CP = cp 9 | else 10 | EXT = .exe 11 | RM = del 12 | CP = copy /y 13 | endif 14 | 15 | CFLAGS += -ffunction-sections -O3 16 | 17 | INC = -I. 18 | 19 | ifneq (,$(findstring darwin,$(CROSS_COMPILE))) 20 | UNAME_S := Darwin 21 | else 22 | UNAME_S := $(shell uname -s) 23 | endif 24 | ifeq ($(UNAME_S),Darwin) 25 | LDFLAGS += -Wl,-dead_strip 26 | else 27 | LDFLAGS += -Wl,--gc-sections -s 28 | endif 29 | 30 | all:mkbootfs$(EXT) 31 | 32 | static: 33 | $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS) -static" 34 | 35 | mkbootfs$(EXT):mkbootfs.o 36 | $(CROSS_COMPILE)$(CC) -o $@ $^ $(LDFLAGS) 37 | 38 | %.o:%.c 39 | $(CROSS_COMPILE)$(CC) -o $@ $(CFLAGS) -c $< $(INC) -Werror 40 | 41 | install: 42 | install -m 755 mkbootfs$(EXT) $(PREFIX)/bin 43 | 44 | clean: 45 | $(RM) mkbootfs 46 | $(RM) *.a *.~ *.exe *.o 47 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright 2008, The Android Open Source Project 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | * Redistributions of source code must retain the above copyright 6 | notice, this list of conditions and the following disclaimer. 7 | * Redistributions in binary form must reproduce the above copyright 8 | notice, this list of conditions and the following disclaimer in the 9 | documentation and/or other materials provided with the distribution. 10 | * Neither the name of Google Inc. nor the names of its contributors may 11 | be used to endorse or promote products derived from this software 12 | without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR 15 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 16 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 17 | EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 20 | OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 21 | WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 22 | OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 23 | ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 | -------------------------------------------------------------------------------- /private/android_filesystem_capability.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2013 The Android Open Source Project 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* 18 | * Taken from linux/capability.h, with minor modifications 19 | */ 20 | 21 | #ifndef _SYSTEM_CORE_INCLUDE_PRIVATE_ANDROID_FILESYSTEM_CAPABILITY_H 22 | #define _SYSTEM_CORE_INCLUDE_PRIVATE_ANDROID_FILESYSTEM_CAPABILITY_H 23 | 24 | #include 25 | 26 | #define __user 27 | #define __u32 uint32_t 28 | #define __le32 uint32_t 29 | 30 | #define _LINUX_CAPABILITY_VERSION_1 0x19980330 31 | #define _LINUX_CAPABILITY_U32S_1 1 32 | #define _LINUX_CAPABILITY_VERSION_2 0x20071026 33 | #define _LINUX_CAPABILITY_U32S_2 2 34 | #define _LINUX_CAPABILITY_VERSION_3 0x20080522 35 | #define _LINUX_CAPABILITY_U32S_3 2 36 | 37 | typedef struct __user_cap_header_struct { 38 | __u32 version; 39 | int pid; 40 | } __user *cap_user_header_t; 41 | 42 | typedef struct __user_cap_data_struct { 43 | __u32 effective; 44 | __u32 permitted; 45 | __u32 inheritable; 46 | } __user *cap_user_data_t; 47 | 48 | #define VFS_CAP_REVISION_MASK 0xFF000000 49 | #define VFS_CAP_REVISION_SHIFT 24 50 | #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK 51 | #define VFS_CAP_FLAGS_EFFECTIVE 0x000001 52 | #define VFS_CAP_REVISION_1 0x01000000 53 | #define VFS_CAP_U32_1 1 54 | #define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) 55 | #define VFS_CAP_REVISION_2 0x02000000 56 | #define VFS_CAP_U32_2 2 57 | #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) 58 | #define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 59 | #define VFS_CAP_U32 VFS_CAP_U32_2 60 | #define VFS_CAP_REVISION VFS_CAP_REVISION_2 61 | 62 | struct vfs_cap_data { 63 | __le32 magic_etc; 64 | struct { 65 | __le32 permitted; 66 | __le32 inheritable; 67 | } data[VFS_CAP_U32]; 68 | }; 69 | 70 | #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 71 | #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 72 | #define CAP_CHOWN 0 73 | #define CAP_DAC_OVERRIDE 1 74 | #define CAP_DAC_READ_SEARCH 2 75 | #define CAP_FOWNER 3 76 | #define CAP_FSETID 4 77 | #define CAP_KILL 5 78 | #define CAP_SETGID 6 79 | #define CAP_SETUID 7 80 | #define CAP_SETPCAP 8 81 | #define CAP_LINUX_IMMUTABLE 9 82 | #define CAP_NET_BIND_SERVICE 10 83 | #define CAP_NET_BROADCAST 11 84 | #define CAP_NET_ADMIN 12 85 | #define CAP_NET_RAW 13 86 | #define CAP_IPC_LOCK 14 87 | #define CAP_IPC_OWNER 15 88 | #define CAP_SYS_MODULE 16 89 | #define CAP_SYS_RAWIO 17 90 | #define CAP_SYS_CHROOT 18 91 | #define CAP_SYS_PTRACE 19 92 | #define CAP_SYS_PACCT 20 93 | #define CAP_SYS_ADMIN 21 94 | #define CAP_SYS_BOOT 22 95 | #define CAP_SYS_NICE 23 96 | #define CAP_SYS_RESOURCE 24 97 | #define CAP_SYS_TIME 25 98 | #define CAP_SYS_TTY_CONFIG 26 99 | #define CAP_MKNOD 27 100 | #define CAP_LEASE 28 101 | #define CAP_AUDIT_WRITE 29 102 | #define CAP_AUDIT_CONTROL 30 103 | #define CAP_SETFCAP 31 104 | #define CAP_MAC_OVERRIDE 32 105 | #define CAP_MAC_ADMIN 33 106 | #define CAP_SYSLOG 34 107 | #define CAP_WAKE_ALARM 35 108 | #define CAP_BLOCK_SUSPEND 36 109 | #define CAP_AUDIT_READ 37 110 | #define CAP_LAST_CAP CAP_AUDIT_READ 111 | #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) 112 | #define CAP_TO_INDEX(x) ((x) >> 5) 113 | #define CAP_TO_MASK(x) (1 << ((x) & 31)) 114 | 115 | #undef __user 116 | #undef __u32 117 | #undef __le32 118 | 119 | #endif 120 | -------------------------------------------------------------------------------- /mkbootfs.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | #include 14 | 15 | #include 16 | 17 | /* NOTES 18 | ** 19 | ** - see buffer-format.txt from the linux kernel docs for 20 | ** an explanation of this file format 21 | ** - directories named 'root' are ignored 22 | ** - device notes, pipes, etc are not supported (error) 23 | */ 24 | 25 | void die(const char *why, ...) 26 | { 27 | va_list ap; 28 | 29 | va_start(ap, why); 30 | fprintf(stderr,"error: "); 31 | vfprintf(stderr, why, ap); 32 | fprintf(stderr,"\n"); 33 | va_end(ap); 34 | exit(1); 35 | } 36 | 37 | struct fs_config_entry { 38 | char* name; 39 | int uid, gid, mode; 40 | }; 41 | 42 | static struct fs_config_entry* canned_config = NULL; 43 | static char *target_out_path = NULL; 44 | 45 | /* Each line in the canned file should be a path plus three ints (uid, 46 | * gid, mode). */ 47 | #ifdef PATH_MAX 48 | #define CANNED_LINE_LENGTH (PATH_MAX+100) 49 | #else 50 | #define CANNED_LINE_LENGTH (1024) 51 | #endif 52 | 53 | #define TRAILER "TRAILER!!!" 54 | 55 | static int verbose = 0; 56 | static int total_size = 0; 57 | 58 | static void fix_stat(const char *path, struct stat *s) 59 | { 60 | uint64_t capabilities; 61 | if (canned_config) { 62 | // Use the list of file uid/gid/modes loaded from the file 63 | // given with -f. 64 | 65 | struct fs_config_entry* empty_path_config = NULL; 66 | struct fs_config_entry* p; 67 | for (p = canned_config; p->name; ++p) { 68 | if (!p->name[0]) { 69 | empty_path_config = p; 70 | } 71 | if (strcmp(p->name, path) == 0) { 72 | s->st_uid = p->uid; 73 | s->st_gid = p->gid; 74 | s->st_mode = p->mode | (s->st_mode & ~07777); 75 | return; 76 | } 77 | } 78 | s->st_uid = empty_path_config->uid; 79 | s->st_gid = empty_path_config->gid; 80 | s->st_mode = empty_path_config->mode | (s->st_mode & ~07777); 81 | } else { 82 | // Use the compiled-in fs_config() function. 83 | unsigned st_mode = s->st_mode; 84 | int is_dir = S_ISDIR(s->st_mode) || strcmp(path, TRAILER) == 0; 85 | fs_config(path, is_dir, target_out_path, &s->st_uid, &s->st_gid, &st_mode, &capabilities); 86 | s->st_mode = (typeof(s->st_mode)) st_mode; 87 | } 88 | } 89 | 90 | static void _eject(struct stat *s, char *out, int olen, char *data, unsigned datasize) 91 | { 92 | // Nothing is special about this value, just picked something in the 93 | // approximate range that was being used already, and avoiding small 94 | // values which may be special. 95 | static unsigned next_inode = 300000; 96 | 97 | while(total_size & 3) { 98 | total_size++; 99 | putchar(0); 100 | } 101 | 102 | fix_stat(out, s); 103 | if(verbose) { 104 | fprintf(stderr, "_eject %s: mode=0%o\n", out, s->st_mode); 105 | } 106 | 107 | printf("%06x%08x%08x%08x%08x%08x%08x" 108 | "%08x%08x%08x%08x%08x%08x%08x%s%c", 109 | 0x070701, 110 | next_inode++, // s.st_ino, 111 | s->st_mode, 112 | 0, // s.st_uid, 113 | 0, // s.st_gid, 114 | 1, // s.st_nlink, 115 | 0, // s.st_mtime, 116 | datasize, 117 | 0, // volmajor 118 | 0, // volminor 119 | 0, // devmajor 120 | 0, // devminor, 121 | olen + 1, 122 | 0, 123 | out, 124 | 0 125 | ); 126 | 127 | total_size += 6 + 8*13 + olen + 1; 128 | 129 | if(strlen(out) != (unsigned int)olen) die("ACK!"); 130 | 131 | while(total_size & 3) { 132 | total_size++; 133 | putchar(0); 134 | } 135 | 136 | if(datasize) { 137 | fwrite(data, datasize, 1, stdout); 138 | total_size += datasize; 139 | } 140 | } 141 | 142 | static void _eject_trailer() 143 | { 144 | struct stat s; 145 | memset(&s, 0, sizeof(s)); 146 | _eject(&s, TRAILER, 10, 0, 0); 147 | 148 | while(total_size & 0xff) { 149 | total_size++; 150 | putchar(0); 151 | } 152 | } 153 | 154 | static void _archive(char *in, char *out, int ilen, int olen); 155 | 156 | static int compare(const void* a, const void* b) { 157 | return strcmp(*(const char**)a, *(const char**)b); 158 | } 159 | 160 | static void _archive_dir(char *in, char *out, int ilen, int olen) 161 | { 162 | int i, t; 163 | DIR *d; 164 | struct dirent *de; 165 | 166 | if(verbose) { 167 | fprintf(stderr,"_archive_dir('%s','%s',%d,%d)\n", 168 | in, out, ilen, olen); 169 | } 170 | 171 | d = opendir(in); 172 | if(d == 0) die("cannot open directory '%s'", in); 173 | 174 | int size = 32; 175 | int entries = 0; 176 | char** names = malloc(size * sizeof(char*)); 177 | if (names == NULL) { 178 | fprintf(stderr, "failed to allocate dir names array (size %d)\n", size); 179 | exit(1); 180 | } 181 | 182 | while((de = readdir(d)) != 0){ 183 | /* xxx: hack. use a real exclude list */ 184 | if(!strcmp(de->d_name, ".")) continue; 185 | if(!strcmp(de->d_name, "..")) continue; 186 | if(!strcmp(de->d_name, "root")) continue; 187 | 188 | if (entries >= size) { 189 | size *= 2; 190 | names = realloc(names, size * sizeof(char*)); 191 | if (names == NULL) { 192 | fprintf(stderr, "failed to reallocate dir names array (size %d)\n", 193 | size); 194 | exit(1); 195 | } 196 | } 197 | names[entries] = strdup(de->d_name); 198 | if (names[entries] == NULL) { 199 | fprintf(stderr, "failed to strdup name \"%s\"\n", 200 | de->d_name); 201 | exit(1); 202 | } 203 | ++entries; 204 | } 205 | 206 | qsort(names, entries, sizeof(char*), compare); 207 | 208 | for (i = 0; i < entries; ++i) { 209 | t = strlen(names[i]); 210 | in[ilen] = '/'; 211 | memcpy(in + ilen + 1, names[i], t + 1); 212 | 213 | if(olen > 0) { 214 | out[olen] = '/'; 215 | memcpy(out + olen + 1, names[i], t + 1); 216 | _archive(in, out, ilen + t + 1, olen + t + 1); 217 | } else { 218 | memcpy(out, names[i], t + 1); 219 | _archive(in, out, ilen + t + 1, t); 220 | } 221 | 222 | in[ilen] = 0; 223 | out[olen] = 0; 224 | 225 | free(names[i]); 226 | } 227 | free(names); 228 | 229 | closedir(d); 230 | } 231 | 232 | static void _archive(char *in, char *out, int ilen, int olen) 233 | { 234 | struct stat s; 235 | 236 | if(verbose) { 237 | fprintf(stderr,"_archive('%s','%s',%d,%d)\n", 238 | in, out, ilen, olen); 239 | } 240 | 241 | if(lstat(in, &s)) die("could not stat '%s'\n", in); 242 | 243 | if(S_ISREG(s.st_mode)){ 244 | char *tmp; 245 | int fd; 246 | 247 | fd = open(in, O_RDONLY); 248 | if(fd < 0) die("cannot open '%s' for read", in); 249 | 250 | tmp = (char*) malloc(s.st_size); 251 | if(tmp == 0) die("cannot allocate %d bytes", s.st_size); 252 | 253 | if(read(fd, tmp, s.st_size) != s.st_size) { 254 | die("cannot read %d bytes", s.st_size); 255 | } 256 | 257 | _eject(&s, out, olen, tmp, s.st_size); 258 | 259 | free(tmp); 260 | close(fd); 261 | } else if(S_ISDIR(s.st_mode)) { 262 | _eject(&s, out, olen, 0, 0); 263 | _archive_dir(in, out, ilen, olen); 264 | } else if(S_ISLNK(s.st_mode)) { 265 | char buf[1024]; 266 | int size; 267 | size = readlink(in, buf, 1024); 268 | if(size < 0) die("cannot read symlink '%s'", in); 269 | _eject(&s, out, olen, buf, size); 270 | } else { 271 | die("Unknown '%s' (mode %d)?\n", in, s.st_mode); 272 | } 273 | } 274 | 275 | void archive(const char *start, const char *prefix) 276 | { 277 | char in[8192]; 278 | char out[8192]; 279 | 280 | strcpy(in, start); 281 | strcpy(out, prefix); 282 | 283 | _archive_dir(in, out, strlen(in), strlen(out)); 284 | } 285 | 286 | static void read_canned_config(char* filename) 287 | { 288 | int allocated = 8; 289 | int used = 0; 290 | 291 | canned_config = 292 | (struct fs_config_entry*)malloc(allocated * sizeof(struct fs_config_entry)); 293 | 294 | char line[CANNED_LINE_LENGTH]; 295 | FILE* f = fopen(filename, "r"); 296 | if (f == NULL) die("failed to open canned file"); 297 | 298 | while (fgets(line, CANNED_LINE_LENGTH, f) != NULL) { 299 | if (!line[0]) break; 300 | if (used >= allocated) { 301 | allocated *= 2; 302 | canned_config = (struct fs_config_entry*)realloc( 303 | canned_config, allocated * sizeof(struct fs_config_entry)); 304 | if (canned_config == NULL) die("failed to reallocate memory"); 305 | } 306 | 307 | struct fs_config_entry* cc = canned_config + used; 308 | 309 | if (isspace(line[0])) { 310 | cc->name = strdup(""); 311 | cc->uid = atoi(strtok(line, " \n")); 312 | } else { 313 | cc->name = strdup(strtok(line, " \n")); 314 | cc->uid = atoi(strtok(NULL, " \n")); 315 | } 316 | cc->gid = atoi(strtok(NULL, " \n")); 317 | cc->mode = strtol(strtok(NULL, " \n"), NULL, 8); 318 | ++used; 319 | } 320 | if (used >= allocated) { 321 | ++allocated; 322 | canned_config = (struct fs_config_entry*)realloc( 323 | canned_config, allocated * sizeof(struct fs_config_entry)); 324 | if (canned_config == NULL) die("failed to reallocate memory"); 325 | } 326 | canned_config[used].name = NULL; 327 | 328 | fclose(f); 329 | } 330 | 331 | 332 | int main(int argc, char *argv[]) 333 | { 334 | argc--; 335 | argv++; 336 | 337 | if (argc > 1 && strcmp(argv[0], "-d") == 0) { 338 | target_out_path = argv[1]; 339 | argc -= 2; 340 | argv += 2; 341 | } 342 | 343 | if (argc > 1 && strcmp(argv[0], "-f") == 0) { 344 | read_canned_config(argv[1]); 345 | argc -= 2; 346 | argv += 2; 347 | } 348 | 349 | if (argc > 1 && strcmp(argv[0], "-v") == 0) { 350 | verbose = 1; 351 | argc -= 1; 352 | argv += 1; 353 | } 354 | 355 | if(argc == 0) die("no directories to process?!"); 356 | 357 | while(argc-- > 0){ 358 | char *x = strchr(*argv, '='); 359 | if(x != 0) { 360 | *x++ = 0; 361 | } else { 362 | x = ""; 363 | } 364 | 365 | archive(*argv, x); 366 | 367 | argv++; 368 | } 369 | 370 | _eject_trailer(); 371 | 372 | return 0; 373 | } 374 | -------------------------------------------------------------------------------- /private/android_filesystem_config.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2007 The Android Open Source Project 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* This file is used to define the properties of the filesystem 18 | ** images generated by build tools (mkbootfs and mkyaffs2image) and 19 | ** by the device side of adb. 20 | */ 21 | 22 | /* 23 | * This file is consumed by build/tools/fs_config and is used 24 | * for generating various files. Anything #define AID_ 25 | * becomes the mapping for getpwnam/getpwuid, etc. The 26 | * field is lowercased. 27 | * For example: 28 | * #define AID_FOO_BAR 6666 becomes a friendly name of "foo_bar" 29 | * 30 | * The above holds true with the exception of: 31 | * mediacodec 32 | * mediaex 33 | * mediadrm 34 | * Whose friendly names do not match the #define statements. 35 | * 36 | * Additionally, AID_OEM_RESERVED_START and AID_OEM_RESERVED_END 37 | * can be used to define reserved OEM ranges used for sanity checks 38 | * during the build process. The rules are, they must end with START/END 39 | * The proper convention is incrementing a number like so: 40 | * AID_OEM_RESERVED_START 41 | * AID_OEM_RESERVED_1_START 42 | * AID_OEM_RESERVED_2_START 43 | * ... 44 | * The same applies to the END. 45 | * They are not required to be in order, but must not overlap each other and 46 | * must define a START and END'ing range. START must be smaller than END. 47 | */ 48 | 49 | #ifndef _ANDROID_FILESYSTEM_CONFIG_H_ 50 | #define _ANDROID_FILESYSTEM_CONFIG_H_ 51 | 52 | #include 53 | #include 54 | #include 55 | #include 56 | 57 | #if defined(__BIONIC__) 58 | #include 59 | #else 60 | #include "android_filesystem_capability.h" 61 | #endif 62 | 63 | #define CAP_MASK_LONG(cap_name) (1ULL << (cap_name)) 64 | 65 | /* This is the master Users and Groups config for the platform. 66 | * DO NOT EVER RENUMBER 67 | */ 68 | 69 | #define AID_ROOT 0 /* traditional unix root user */ 70 | 71 | #define AID_SYSTEM 1000 /* system server */ 72 | 73 | #define AID_RADIO 1001 /* telephony subsystem, RIL */ 74 | #define AID_BLUETOOTH 1002 /* bluetooth subsystem */ 75 | #define AID_GRAPHICS 1003 /* graphics devices */ 76 | #define AID_INPUT 1004 /* input devices */ 77 | #define AID_AUDIO 1005 /* audio devices */ 78 | #define AID_CAMERA 1006 /* camera devices */ 79 | #define AID_LOG 1007 /* log devices */ 80 | #define AID_COMPASS 1008 /* compass device */ 81 | #define AID_MOUNT 1009 /* mountd socket */ 82 | #define AID_WIFI 1010 /* wifi subsystem */ 83 | #define AID_ADB 1011 /* android debug bridge (adbd) */ 84 | #define AID_INSTALL 1012 /* group for installing packages */ 85 | #define AID_MEDIA 1013 /* mediaserver process */ 86 | #define AID_DHCP 1014 /* dhcp client */ 87 | #define AID_SDCARD_RW 1015 /* external storage write access */ 88 | #define AID_VPN 1016 /* vpn system */ 89 | #define AID_KEYSTORE 1017 /* keystore subsystem */ 90 | #define AID_USB 1018 /* USB devices */ 91 | #define AID_DRM 1019 /* DRM server */ 92 | #define AID_MDNSR 1020 /* MulticastDNSResponder (service discovery) */ 93 | #define AID_GPS 1021 /* GPS daemon */ 94 | #define AID_UNUSED1 1022 /* deprecated, DO NOT USE */ 95 | #define AID_MEDIA_RW 1023 /* internal media storage write access */ 96 | #define AID_MTP 1024 /* MTP USB driver access */ 97 | #define AID_UNUSED2 1025 /* deprecated, DO NOT USE */ 98 | #define AID_DRMRPC 1026 /* group for drm rpc */ 99 | #define AID_NFC 1027 /* nfc subsystem */ 100 | #define AID_SDCARD_R 1028 /* external storage read access */ 101 | #define AID_CLAT 1029 /* clat part of nat464 */ 102 | #define AID_LOOP_RADIO 1030 /* loop radio devices */ 103 | #define AID_MEDIA_DRM 1031 /* MediaDrm plugins */ 104 | #define AID_PACKAGE_INFO 1032 /* access to installed package details */ 105 | #define AID_SDCARD_PICS 1033 /* external storage photos access */ 106 | #define AID_SDCARD_AV 1034 /* external storage audio/video access */ 107 | #define AID_SDCARD_ALL 1035 /* access all users external storage */ 108 | #define AID_LOGD 1036 /* log daemon */ 109 | #define AID_SHARED_RELRO 1037 /* creator of shared GNU RELRO files */ 110 | #define AID_DBUS 1038 /* dbus-daemon IPC broker process */ 111 | #define AID_TLSDATE 1039 /* tlsdate unprivileged user */ 112 | #define AID_MEDIA_EX 1040 /* mediaextractor process */ 113 | #define AID_AUDIOSERVER 1041 /* audioserver process */ 114 | #define AID_METRICS_COLL 1042 /* metrics_collector process */ 115 | #define AID_METRICSD 1043 /* metricsd process */ 116 | #define AID_WEBSERV 1044 /* webservd process */ 117 | #define AID_DEBUGGERD 1045 /* debuggerd unprivileged user */ 118 | #define AID_MEDIA_CODEC 1046 /* mediacodec process */ 119 | #define AID_CAMERASERVER 1047 /* cameraserver process */ 120 | #define AID_FIREWALL 1048 /* firewalld process */ 121 | #define AID_TRUNKS 1049 /* trunksd process (TPM daemon) */ 122 | #define AID_NVRAM 1050 /* Access-controlled NVRAM */ 123 | #define AID_DNS 1051 /* DNS resolution daemon (system: netd) */ 124 | #define AID_DNS_TETHER 1052 /* DNS resolution daemon (tether: dnsmasq) */ 125 | #define AID_WEBVIEW_ZYGOTE 1053 /* WebView zygote process */ 126 | #define AID_VEHICLE_NETWORK 1054 /* Vehicle network service */ 127 | #define AID_MEDIA_AUDIO 1055 /* GID for audio files on internal media storage */ 128 | #define AID_MEDIA_VIDEO 1056 /* GID for video files on internal media storage */ 129 | #define AID_MEDIA_IMAGE 1057 /* GID for image files on internal media storage */ 130 | #define AID_TOMBSTONED 1058 /* tombstoned user */ 131 | #define AID_MEDIA_OBB 1059 /* GID for OBB files on internal media storage */ 132 | #define AID_ESE 1060 /* embedded secure element (eSE) subsystem */ 133 | #define AID_OTA_UPDATE 1061 /* resource tracking UID for OTA updates */ 134 | #define AID_AUTOMOTIVE_EVS 1062 /* Automotive rear and surround view system */ 135 | /* Changes to this file must be made in AOSP, *not* in internal branches. */ 136 | 137 | #define AID_THEMEMAN 1300 /* theme manager */ 138 | #define AID_AUDIT 1301 /* audit daemon */ 139 | 140 | #define AID_SHELL 2000 /* adb and debug shell user */ 141 | #define AID_CACHE 2001 /* cache access */ 142 | #define AID_DIAG 2002 /* access to diagnostic resources */ 143 | 144 | /* The range 2900-2999 is reserved for OEM, and must never be 145 | * used here */ 146 | #define AID_OEM_RESERVED_START 2900 147 | 148 | #if !defined(QCOM_LEGACY_UIDS) 149 | #define AID_QCOM_DIAG 2950 /* access to QTI diagnostic resources */ 150 | #define AID_RFS 2951 /* Remote Filesystem for peripheral processors */ 151 | #define AID_RFS_SHARED 2952 /* Shared files for Remote Filesystem for peripheral processors */ 152 | #endif 153 | 154 | #define AID_OEM_RESERVED_END 2999 155 | 156 | /* The 3000 series are intended for use as supplemental group id's only. 157 | * They indicate special Android capabilities that the kernel is aware of. */ 158 | #define AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */ 159 | #define AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap sockets */ 160 | #define AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */ 161 | #define AID_NET_RAW 3004 /* can create raw INET sockets */ 162 | #define AID_NET_ADMIN 3005 /* can configure interfaces and routing tables. */ 163 | #define AID_NET_BW_STATS 3006 /* read bandwidth statistics */ 164 | #define AID_NET_BW_ACCT 3007 /* change bandwidth statistics accounting */ 165 | #define AID_NET_BT_STACK 3008 /* bluetooth: access config files */ 166 | #define AID_READPROC 3009 /* Allow /proc read access */ 167 | #define AID_WAKELOCK 3010 /* Allow system wakelock read/write access */ 168 | #if defined(QCOM_LEGACY_UIDS) 169 | #define AID_QCOM_ONCRPC 3011 /* can read/write /dev/oncrpc files */ 170 | #define AID_QCOM_DIAG 3012 /* can read/write /dev/diag */ 171 | #elif defined(QCOM_UIDS) 172 | #define AID_SENSORS 3011 /* access to /dev/socket/sensor_ctl_socket & QCCI/QCSI */ 173 | #define AID_IMS 3012 /* can read/write /dev/socket/imsrtp */ 174 | 175 | #define AID_RFS_OLD 3013 /* DEPRECATED OLD ID FOR RFS, DO NOT USE */ 176 | #define AID_RFS_SHARED_OLD 3014 /* DEPRECATED OLD ID FOR RFS-SHARED */ 177 | #else 178 | #define AID_UHID 3011 /* Allow read/write to /dev/uhid node */ 179 | #endif 180 | 181 | /* The range 5000-5999 is also reserved for OEM, and must never be used here. */ 182 | #define AID_OEM_RESERVED_2_START 5000 183 | #define AID_OEM_RESERVED_2_END 5999 184 | 185 | #if defined(MOTOROLA_UIDS) 186 | #define AID_MOT_OSH 5000 /* OSH */ 187 | #define AID_MOT_ACCY 9000 /* access to accessory */ 188 | #define AID_MOT_PWRIC 9001 /* power IC */ 189 | #define AID_MOT_USB 9002 /* mot usb */ 190 | #define AID_MOT_DRM 9003 /* can access DRM resource. */ 191 | #define AID_MOT_TCMD 9004 /* mot_tcmd */ 192 | #define AID_MOT_SEC_RTC 9005 /* mot cpcap rtc */ 193 | #define AID_MOT_TOMBSTONE 9006 194 | #define AID_MOT_TPAPI 9007 /* mot_tpapi */ 195 | #define AID_MOT_SECCLKD 9008 /* mot_secclkd */ 196 | #define AID_MOT_WHISPER 9009 /* Whisper Protocol access */ 197 | #define AID_MOT_CAIF 9010 /* can create CAIF sockets */ 198 | #define AID_MOT_DLNA 9011 /* DLNA native */ 199 | #endif // MOTOROLA_UIDS 200 | 201 | #define AID_EVERYBODY 9997 /* shared between all apps in the same profile */ 202 | #define AID_MISC 9998 /* access to misc storage */ 203 | #define AID_NOBODY 9999 204 | 205 | #define AID_APP 10000 /* TODO: switch users over to AID_APP_START */ 206 | #define AID_APP_START 10000 /* first app user */ 207 | #define AID_APP_END 19999 /* last app user */ 208 | 209 | #define AID_CACHE_GID_START 20000 /* start of gids for apps to mark cached data */ 210 | #define AID_CACHE_GID_END 29999 /* end of gids for apps to mark cached data */ 211 | 212 | #define AID_EXT_GID_START 30000 /* start of gids for apps to mark external data */ 213 | #define AID_EXT_GID_END 39999 /* end of gids for apps to mark external data */ 214 | 215 | #define AID_EXT_CACHE_GID_START 40000 /* start of gids for apps to mark external cached data */ 216 | #define AID_EXT_CACHE_GID_END 49999 /* end of gids for apps to mark external cached data */ 217 | 218 | #define AID_SHARED_GID_START 50000 /* start of gids for apps in each user to share */ 219 | #define AID_SHARED_GID_END 59999 /* end of gids for apps in each user to share */ 220 | 221 | #define AID_ISOLATED_START 99000 /* start of uids for fully isolated sandboxed processes */ 222 | #define AID_ISOLATED_END 99999 /* end of uids for fully isolated sandboxed processes */ 223 | 224 | #define AID_USER 100000 /* TODO: switch users over to AID_USER_OFFSET */ 225 | #define AID_USER_OFFSET 100000 /* offset for uid ranges for each user */ 226 | 227 | /* 228 | * android_ids has moved to pwd/grp functionality. 229 | * If you need to add one, the structure is now 230 | * auto-generated based on the AID_ constraints 231 | * documented at the top of this header file. 232 | * Also see build/tools/fs_config for more details. 233 | */ 234 | 235 | #if !defined(EXCLUDE_FS_CONFIG_STRUCTURES) 236 | 237 | struct fs_path_config { 238 | unsigned mode; 239 | unsigned uid; 240 | unsigned gid; 241 | uint64_t capabilities; 242 | const char *prefix; 243 | }; 244 | 245 | /* Rules for directories. 246 | ** These rules are applied based on "first match", so they 247 | ** should start with the most specific path and work their 248 | ** way up to the root. 249 | */ 250 | 251 | static const struct fs_path_config android_dirs[] = { 252 | /* clang-format off */ 253 | 254 | /* Magisk ramdisk special directories */ 255 | { 00000, AID_ROOT, AID_ROOT, 0, ".backup" }, 256 | { 00750, AID_ROOT, AID_ROOT, 0, "overlay/sbin" }, 257 | { 00000, AID_ROOT, AID_ROOT, 0, "overlay" }, 258 | 259 | /* SuperSU ramdisk special directories */ 260 | { 00000, AID_ROOT, AID_ROOT, 0, ".subackup" }, 261 | { 00000, AID_ROOT, AID_ROOT, 0, ".sufrp" }, 262 | { 00000, AID_ROOT, AID_ROOT, 0, "boot/.sufrp" }, 263 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "boot/bt_firmware" }, 264 | { 00500, AID_ROOT, AID_ROOT, 0, "boot/config" }, 265 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "boot/data" }, 266 | { 00755, AID_ROOT, AID_SYSTEM, 0, "boot/mnt" }, 267 | { 00750, AID_ROOT, AID_SHELL, 0, "boot/sbin" }, 268 | { 00751, AID_ROOT, AID_SDCARD_R, 0, "boot/storage" }, 269 | { 00755, AID_ROOT, AID_SHELL, 0, "boot/vendor" }, 270 | { 00755, AID_ROOT, AID_ROOT, 0, "boot" }, 271 | 272 | { 00770, AID_SYSTEM, AID_CACHE, 0, "cache" }, 273 | { 00500, AID_ROOT, AID_ROOT, 0, "config" }, 274 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app" }, 275 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private" }, 276 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app-ephemeral" }, 277 | { 00771, AID_ROOT, AID_ROOT, 0, "data/dalvik-cache" }, 278 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/data" }, 279 | { 00771, AID_SHELL, AID_SHELL, 0, "data/local/tmp" }, 280 | { 00771, AID_SHELL, AID_SHELL, 0, "data/local" }, 281 | { 00770, AID_DHCP, AID_DHCP, 0, "data/misc/dhcp" }, 282 | { 00771, AID_SHARED_RELRO, AID_SHARED_RELRO, 0, "data/misc/shared_relro" }, 283 | { 01771, AID_SYSTEM, AID_MISC, 0, "data/misc" }, 284 | { 01771, AID_SYSTEM, AID_MISC, 0, "data/misc" }, 285 | { 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/Music" }, 286 | { 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media" }, 287 | { 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest" }, 288 | { 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest64" }, 289 | { 00775, AID_ROOT, AID_ROOT, 0, "data/preloads" }, 290 | { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data" }, 291 | { 00755, AID_ROOT, AID_SYSTEM, 0, "mnt" }, 292 | { 00755, AID_ROOT, AID_ROOT, 0, "root" }, 293 | { 00750, AID_ROOT, AID_SHELL, 0, "sbin" }, 294 | { 00777, AID_ROOT, AID_ROOT, 0, "sdcard" }, 295 | { 00751, AID_ROOT, AID_SDCARD_R, 0, "storage" }, 296 | { 00755, AID_ROOT, AID_ROOT, 0, "system/addon.d" }, 297 | { 00755, AID_ROOT, AID_SHELL, 0, "system/bin" }, 298 | { 00755, AID_ROOT, AID_ROOT, 0, "system/etc/ppp" }, 299 | { 00755, AID_ROOT, AID_SHELL, 0, "system/etc" }, 300 | { 00755, AID_ROOT, AID_SHELL, 0, "system/vendor" }, 301 | { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin" }, 302 | { 00755, AID_ROOT, AID_SHELL, 0, "vendor" }, 303 | { 00755, AID_ROOT, AID_ROOT, 0, 0 }, 304 | /* clang-format on */ 305 | }; 306 | 307 | /* Rules for files. 308 | ** These rules are applied based on "first match", so they 309 | ** should start with the most specific path and work their 310 | ** way up to the root. Prefixes ending in * denotes wildcard 311 | ** and will allow partial matches. 312 | */ 313 | static const struct fs_path_config android_files[] = { 314 | /* clang-format off */ 315 | 316 | /* Motorola ramdisk special files */ 317 | { 00755, AID_ROOT, AID_ROOT, 0, "init.class_main.sh" }, 318 | { 00400, AID_ROOT, AID_ROOT, 0, "module_hashes" }, 319 | { 00750, AID_ROOT, AID_ROOT, 0, "xbin/qe" }, 320 | 321 | /* Magisk ramdisk special files */ 322 | { 00000, AID_ROOT, AID_ROOT, 0, ".backup/.magisk" }, 323 | { 00000, AID_ROOT, AID_ROOT, 0, ".backup/.rmlist" }, 324 | { 00750, AID_ROOT, AID_ROOT, 0, ".backup/init*" }, 325 | { 00755, AID_ROOT, AID_ROOT, 0, "sbin/magisk" }, 326 | { 00750, AID_ROOT, AID_ROOT, 0, "init.magisk.rc" }, 327 | { 00755, AID_ROOT, AID_ROOT, 0, "overlay/sbin/magisk" }, 328 | { 00750, AID_ROOT, AID_SHELL, 0, "overlay/sbin/*" }, 329 | { 00640, AID_ROOT, AID_SHELL, 0, "overlay/fstab.*" }, 330 | { 00750, AID_ROOT, AID_ROOT, 0, "overlay/init.magisk.rc" }, 331 | { 00750, AID_ROOT, AID_SHELL, 0, "overlay/init*" }, 332 | 333 | /* SuperSU ramdisk special files */ 334 | { 00640, AID_ROOT, AID_ROOT, 0, ".subackup/0000_fstab.*" }, 335 | { 00640, AID_ROOT, AID_ROOT, 0, ".subackup/0001_fstab.*" }, 336 | { 00750, AID_ROOT, AID_ROOT, 0, ".subackup/0001_init*" }, 337 | { 00750, AID_ROOT, AID_ROOT, 0, ".subackup/0002_init*" }, 338 | { 00750, AID_ROOT, AID_ROOT, 0, ".subackup/0003_init*" }, 339 | { 00755, AID_ROOT, AID_ROOT, 0, ".sufrp/frp_install" }, 340 | { 00700, AID_ROOT, AID_ROOT, 0, "sbin/launch_daemonsu.sh" }, 341 | { 00750, AID_ROOT, AID_ROOT, 0, "init.environ.rc" }, 342 | { 00750, AID_ROOT, AID_ROOT, 0, "init.rc" }, 343 | { 00750, AID_ROOT, AID_ROOT, 0, "init.supersu.rc" }, 344 | { 00755, AID_ROOT, AID_ROOT, 0, "boot/.sufrp/frp_install" }, 345 | { 00700, AID_ROOT, AID_ROOT, 0, "boot/sbin/launch_daemonsu.sh" }, 346 | { 00750, AID_ROOT, AID_SHELL, 0, "boot/sbin/*" }, 347 | { 00640, AID_ROOT, AID_SHELL, 0, "boot/fstab.*" }, 348 | { 00750, AID_ROOT, AID_ROOT, 0, "boot/init.rc" }, 349 | { 00750, AID_ROOT, AID_ROOT, 0, "boot/init.supersu.rc" }, 350 | { 00750, AID_ROOT, AID_ROOT, 0, "boot/init" }, 351 | { 00750, AID_ROOT, AID_SHELL, 0, "boot/init*" }, 352 | 353 | { 00750, AID_ROOT, AID_SHELL, 0, "charger*" }, 354 | { 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app/*" }, 355 | { 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-ephemeral/*" }, 356 | { 00644, AID_SYSTEM, AID_SYSTEM, 0, "data/app-private/*" }, 357 | { 00644, AID_APP, AID_APP, 0, "data/data/*" }, 358 | { 00644, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media/*" }, 359 | { 00640, AID_ROOT, AID_SHELL, 0, "data/nativetest/tests.txt" }, 360 | { 00640, AID_ROOT, AID_SHELL, 0, "data/nativetest64/tests.txt" }, 361 | { 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest/*" }, 362 | { 00750, AID_ROOT, AID_SHELL, 0, "data/nativetest64/*" }, 363 | { 00600, AID_ROOT, AID_ROOT, 0, "default.prop" }, 364 | { 00600, AID_ROOT, AID_ROOT, 0, "odm/build.prop" }, 365 | { 00600, AID_ROOT, AID_ROOT, 0, "odm/default.prop" }, 366 | { 00750, AID_ROOT, AID_SHELL, 0, "sbin/fs_mgr" }, 367 | { 00755, AID_ROOT, AID_ROOT, 0, "system/addon.d/*" }, 368 | { 00755, AID_ROOT, AID_SHELL, 0, "system/bin/crash_dump32" }, 369 | { 00755, AID_ROOT, AID_SHELL, 0, "system/bin/crash_dump64" }, 370 | { 00755, AID_ROOT, AID_SHELL, 0, "system/bin/debuggerd" }, 371 | { 00750, AID_ROOT, AID_ROOT, 0, "system/bin/install-recovery.sh" }, 372 | { 00700, AID_ROOT, AID_ROOT, 0, "system/bin/secilc" }, 373 | { 00750, AID_ROOT, AID_ROOT, 0, "system/bin/uncrypt" }, 374 | { 00600, AID_ROOT, AID_ROOT, 0, "system/build.prop" }, 375 | { 00550, AID_DHCP, AID_SHELL, 0, "system/etc/dhcpcd/dhcpcd-run-hooks" }, 376 | { 00755, AID_ROOT, AID_SHELL, 0, "system/etc/init.d/*" }, 377 | { 00440, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.rc" }, 378 | { 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.goldfish.sh" }, 379 | { 00550, AID_ROOT, AID_SHELL, 0, "system/etc/init.ril" }, 380 | { 00555, AID_ROOT, AID_ROOT, 0, "system/etc/ppp/*" }, 381 | { 00555, AID_ROOT, AID_ROOT, 0, "system/etc/rc.*" }, 382 | { 00440, AID_ROOT, AID_ROOT, 0, "system/etc/recovery.img" }, 383 | { 00600, AID_ROOT, AID_ROOT, 0, "system/odm/build.prop" }, 384 | { 00600, AID_ROOT, AID_ROOT, 0, "system/odm/default.prop" }, 385 | { 00444, AID_ROOT, AID_ROOT, 0, "system/odm/etc/fs_config_dirs" }, 386 | { 00444, AID_ROOT, AID_ROOT, 0, "system/odm/etc/fs_config_files" }, 387 | { 00444, AID_ROOT, AID_ROOT, 0, "system/oem/etc/fs_config_dirs" }, 388 | { 00444, AID_ROOT, AID_ROOT, 0, "system/oem/etc/fs_config_files" }, 389 | { 00600, AID_ROOT, AID_ROOT, 0, "system/vendor/build.prop" }, 390 | { 00600, AID_ROOT, AID_ROOT, 0, "system/vendor/default.prop" }, 391 | { 00444, AID_ROOT, AID_ROOT, 0, "system/vendor/etc/fs_config_dirs" }, 392 | { 00444, AID_ROOT, AID_ROOT, 0, "system/vendor/etc/fs_config_files" }, 393 | { 00600, AID_ROOT, AID_ROOT, 0, "vendor/build.prop" }, 394 | { 00600, AID_ROOT, AID_ROOT, 0, "vendor/default.prop" }, 395 | 396 | /* the following files are INTENTIONALLY set-uid, but they 397 | * are NOT included on user builds. */ 398 | { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" }, 399 | 400 | /* CM's daemonized su doesn't need the setuid bit */ 401 | { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" }, 402 | 403 | /* the following files have enhanced capabilities and ARE included 404 | * in user builds. */ 405 | { 00700, AID_SYSTEM, AID_SHELL, CAP_MASK_LONG(CAP_BLOCK_SUSPEND), 406 | "system/bin/inputflinger" }, 407 | { 00550, AID_LOGD, AID_LOGD, CAP_MASK_LONG(CAP_SYSLOG) | 408 | CAP_MASK_LONG(CAP_AUDIT_CONTROL) | 409 | CAP_MASK_LONG(CAP_SETGID), 410 | "system/bin/logd" }, 411 | { 00750, AID_ROOT, AID_SHELL, CAP_MASK_LONG(CAP_SETUID) | 412 | CAP_MASK_LONG(CAP_SETGID), 413 | "system/bin/run-as" }, 414 | 415 | /* Support FIFO scheduling mode in SurfaceFlinger. */ 416 | { 00755, AID_SYSTEM, AID_GRAPHICS, CAP_MASK_LONG(CAP_SYS_NICE), 417 | "system/bin/surfaceflinger" }, 418 | 419 | /* Support hostapd administering a network interface. */ 420 | { 00755, AID_WIFI, AID_WIFI, CAP_MASK_LONG(CAP_NET_ADMIN) | 421 | CAP_MASK_LONG(CAP_NET_RAW), 422 | "system/bin/hostapd" }, 423 | 424 | /* Support Bluetooth legacy hal accessing /sys/class/rfkill 425 | * Support RT scheduling in Bluetooth */ 426 | { 00700, AID_BLUETOOTH, AID_BLUETOOTH, CAP_MASK_LONG(CAP_NET_ADMIN) | 427 | CAP_MASK_LONG(CAP_SYS_NICE), 428 | "vendor/bin/hw/android.hardware.bluetooth@1.0-service" }, 429 | 430 | /* Support wifi_hal_legacy administering a network interface. */ 431 | { 00755, AID_WIFI, AID_WIFI, CAP_MASK_LONG(CAP_NET_ADMIN) | 432 | CAP_MASK_LONG(CAP_NET_RAW), 433 | "vendor/bin/hw/android.hardware.wifi@1.0-service" }, 434 | 435 | /* A non-privileged zygote that spawns 436 | * isolated processes for web rendering. */ 437 | { 0750, AID_ROOT, AID_ROOT, CAP_MASK_LONG(CAP_SETUID) | 438 | CAP_MASK_LONG(CAP_SETGID) | 439 | CAP_MASK_LONG(CAP_SETPCAP), 440 | "system/bin/webview_zygote32" }, 441 | { 0750, AID_ROOT, AID_ROOT, CAP_MASK_LONG(CAP_SETUID) | 442 | CAP_MASK_LONG(CAP_SETGID) | 443 | CAP_MASK_LONG(CAP_SETPCAP), 444 | "system/bin/webview_zygote64" }, 445 | 446 | /* generic defaults */ 447 | { 00755, AID_ROOT, AID_ROOT, 0, "bin/*" }, 448 | { 00640, AID_ROOT, AID_SHELL, 0, "fstab.*" }, 449 | { 00750, AID_ROOT, AID_SHELL, 0, "init*" }, 450 | { 00750, AID_ROOT, AID_SHELL, 0, "sbin/*" }, 451 | { 00755, AID_ROOT, AID_SHELL, 0, "system/bin/*" }, 452 | { 00755, AID_ROOT, AID_ROOT, 0, "system/lib/valgrind/*" }, 453 | { 00755, AID_ROOT, AID_ROOT, 0, "system/lib64/valgrind/*" }, 454 | { 00755, AID_ROOT, AID_SHELL, 0, "system/vendor/bin/*" }, 455 | { 00755, AID_ROOT, AID_SHELL, 0, "system/vendor/xbin/*" }, 456 | { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin/*" }, 457 | { 00755, AID_ROOT, AID_SHELL, 0, "vendor/bin/*" }, 458 | { 00755, AID_ROOT, AID_SHELL, 0, "vendor/xbin/*" }, 459 | { 00644, AID_ROOT, AID_ROOT, 0, 0 }, 460 | /* clang-format on */ 461 | }; 462 | 463 | static inline void fs_config(const char* path, int dir, const char* target_out_path, 464 | unsigned* uid, unsigned* gid, unsigned* mode, uint64_t* capabilities) { 465 | const struct fs_path_config* pc; 466 | size_t plen; 467 | 468 | if (path[0] == '/') { 469 | path++; 470 | } 471 | 472 | pc = dir ? android_dirs : android_files; 473 | plen = strlen(path); 474 | for(; pc->prefix; pc++){ 475 | int len = strlen(pc->prefix); 476 | if (dir) { 477 | if(plen < len) continue; 478 | if(!strncmp(pc->prefix, path, len)) break; 479 | continue; 480 | } 481 | /* If name ends in * then allow partial matches. */ 482 | if (pc->prefix[len -1] == '*') { 483 | if(!strncmp(pc->prefix, path, len - 1)) break; 484 | } else if (plen == len){ 485 | if(!strncmp(pc->prefix, path, len)) break; 486 | } 487 | } 488 | *uid = pc->uid; 489 | *gid = pc->gid; 490 | *mode = (*mode & (~07777)) | pc->mode; 491 | *capabilities = pc->capabilities; 492 | 493 | #if 0 494 | fprintf(stderr,"< '%s' '%s' %d %d %o >\n", 495 | path, pc->prefix ? pc->prefix : "", *uid, *gid, *mode); 496 | #endif 497 | } 498 | 499 | ssize_t fs_config_generate(char *buffer, size_t length, const struct fs_path_config *pc); 500 | 501 | #endif 502 | #endif 503 | --------------------------------------------------------------------------------