2 * Copyright (C) 2016 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 const char* optstr = "<1u:g:G:c:s";
18 R"(usage: runconuid [-s] [-u UID] [-g GID] [-G GROUPS] [-c CONTEXT] COMMAND ARGS
20 Run a command in the specified security context, as the specified user,
21 with the specified group membership.
24 -g Group ID by name or numeric value
25 -G List of groups by name or numeric value
27 -u User ID by name or numeric value
34 #include <selinux/selinux.h>
39 #include <sys/ptrace.h>
40 #include <sys/types.h>
44 static uid_t uid = -1;
45 static gid_t gid = -1;
46 static gid_t* groups = nullptr;
47 static size_t ngroups = 0;
48 static char* context = nullptr;
49 static bool setenforce = false;
50 static char** child_argv = nullptr;
52 [[noreturn]] void perror_exit(const char* message) {
58 if (context && setexeccon(context) < 0) {
59 perror_exit("Setting context to failed");
62 if (ngroups && setgroups(ngroups, groups) < 0) {
63 perror_exit("Setting supplementary groups failed.");
66 if (gid != (gid_t) -1 && setresgid(gid, gid, gid) < 0) {
67 perror_exit("Setting group failed.");
70 if (uid != (uid_t) -1 && setresuid(uid, uid, uid) < 0) {
71 perror_exit("Setting user failed.");
74 ptrace(PTRACE_TRACEME, 0, 0, 0);
76 execvp(child_argv[0], child_argv);
77 perror_exit("Failed to execve");
80 uid_t lookup_uid(char* c) {
84 if (sscanf(c, "%d", &u) == 1) {
88 if ((pw = getpwnam(c)) != 0) {
92 perror_exit("Could not resolve user ID by name");
95 gid_t lookup_gid(char* c) {
99 if (sscanf(c, "%d", &g) == 1) {
103 if ((gr = getgrnam(c)) != 0) {
107 perror_exit("Could not resolve group ID by name");
110 void lookup_groups(char* c) {
113 // Count the number of groups
114 for (group = c; *group; group++) {
121 // The last group is not followed by a comma.
124 // Allocate enough space for all of them
125 groups = (gid_t*)calloc(ngroups, sizeof(gid_t));
128 // Fill in the group IDs
129 for (size_t n = 0; n < ngroups; n++) {
130 groups[n] = lookup_gid(group);
131 group += strlen(group) + 1;
135 void parse_arguments(int argc, char** argv) {
138 while ((c = getopt(argc, argv, optstr)) != -1) {
141 uid = lookup_uid(optarg);
144 gid = lookup_gid(optarg);
147 lookup_groups(optarg);
161 child_argv = &argv[optind];
163 if (optind == argc) {
168 int main(int argc, char** argv) {
171 parse_arguments(argc, argv);
175 perror_exit("Could not fork.");
178 if (setenforce && is_selinux_enabled()) {
179 if (security_setenforce(0) < 0) {
180 perror("Couldn't set enforcing status to 0");
188 if (ptrace(PTRACE_ATTACH, child, 0, 0) < 0) {
190 kill(SIGKILL, child);
192 perror_exit("Could not ptrace child.");
195 // Wait for the SIGSTOP
197 if (-1 == wait(&status)) {
198 perror_exit("Could not wait for child SIGSTOP");
201 // Trace all syscalls.
202 ptrace(PTRACE_SETOPTIONS, child, 0, PTRACE_O_TRACESYSGOOD);
205 ptrace(PTRACE_SYSCALL, child, 0, 0);
206 waitpid(child, &status, 0);
208 // Child raises SIGINT after the execve, on the first instruction.
209 if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) {
213 // Child did some other syscall.
214 if (WIFSTOPPED(status) && WSTOPSIG(status) & 0x80) {
219 if (WIFEXITED(status)) {
220 exit(WEXITSTATUS(status));
224 if (setenforce && is_selinux_enabled()) {
225 if (security_setenforce(1) < 0) {
226 perror("Couldn't set enforcing status to 1");
230 ptrace(PTRACE_DETACH, child, 0, 0);