Merge changes I2157efc5,Iaf1d6f9c
am: 78522d3676
Change-Id: Icc95f162fffdd3b17daa644c656584c35d3c976d
diff --git a/run-as/Android.bp b/run-as/Android.bp
new file mode 100644
index 0000000..840a43c
--- /dev/null
+++ b/run-as/Android.bp
@@ -0,0 +1,28 @@
+//
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+cc_binary {
+ name: "run-as",
+ srcs: [
+ "run-as.cpp",
+ ],
+ shared_libs: [
+ "libbase",
+ "libselinux",
+ "libpackagelistparser",
+ "libminijail",
+ ],
+}
diff --git a/run-as/Android.mk b/run-as/Android.mk
deleted file mode 100644
index 7111fbe..0000000
--- a/run-as/Android.mk
+++ /dev/null
@@ -1,8 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_MODULE := run-as
-LOCAL_SHARED_LIBRARIES := libselinux libpackagelistparser libminijail
-LOCAL_SRC_FILES := run-as.cpp
-include $(BUILD_EXECUTABLE)
diff --git a/run-as/run-as.cpp b/run-as/run-as.cpp
index b27cfad..d005ecf 100644
--- a/run-as/run-as.cpp
+++ b/run-as/run-as.cpp
@@ -28,6 +28,7 @@
#include <libminijail.h>
#include <scoped_minijail.h>
+#include <android-base/properties.h>
#include <packagelistparser/packagelistparser.h>
#include <private/android_filesystem_config.h>
#include <selinux/android.h>
@@ -40,6 +41,7 @@
// The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
// capabilities, but will check the following:
//
+// - that the ro.boot.disable_runas property is not set
// - that it is invoked from the 'shell' or 'root' user (abort otherwise)
// - that '<package-name>' is the name of an installed and debuggable package
// - that the package's data directory is well-formed
@@ -139,6 +141,12 @@
error(1, 0, "only 'shell' or 'root' users can run this program");
}
+ // Some devices can disable running run-as, such as Chrome OS when running in
+ // non-developer mode.
+ if (android::base::GetBoolProperty("ro.boot.disable_runas", false)) {
+ error(1, 0, "run-as is disabled from the kernel commandline");
+ }
+
char* pkgname = argv[1];
int cmd_argv_offset = 2;