Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / 4772f1da47bfdad8e0b3e3cdbf1bdc6bda0443b1^! / . / init / util.cpp
commit4772f1da47bfdad8e0b3e3cdbf1bdc6bda0443b1[log] [tgz]
authorTom Cherry <tomcherry@google.com>Tue Jul 30 09:34:41 2019 -0700
committerTom Cherry <tomcherry@google.com>Thu Aug 01 10:54:47 2019 -0700
tree3f40d0bee7fa7394dc09ed9d73f2cd1d9f3d6932
parentc5cf85db23ac8c8a0206e911d73ef1c42ad66ed6 [diff] [blame]
init: check the arguments of builtins during the build

Host init verifier already checks that the names and number of
arguments for builtins are correct, but it can check more.  This
change ensures that property expansions are well formed, and that
arguments that can be parsed on the host are correct.  For example it
checks that UIDs and GIDs exist, that numerical values can be parsed,
and that rlimit strings are correct.

Test: build

Change-Id: Ied8882498a88a9f8324db6b8d1020aeeccc8177b

diff --git a/init/util.cpp b/init/util.cpp
index 169f086..0532375 100644
--- a/init/util.cpp
+++ b/init/util.cpp

@@ -42,6 +42,7 @@
 
 #if defined(__ANDROID__)
 #include <android/api-level.h>
+#include <sys/system_properties.h>
 
 #include "reboot_utils.h"
 #include "selabel.h"
@@ -51,6 +52,7 @@
 #endif
 
 using android::base::boot_clock;
+using android::base::StartsWith;
 using namespace std::literals::string_literals;
 
 namespace android {
@@ -419,6 +421,58 @@
     return true;
 }
 
+Result<void> IsLegalPropertyValue(const std::string& name, const std::string& value) {
+    if (value.size() >= PROP_VALUE_MAX && !StartsWith(name, "ro.")) {
+        return Error() << "Property value too long";
+    }
+
+    if (mbstowcs(nullptr, value.data(), 0) == static_cast<std::size_t>(-1)) {
+        return Error() << "Value is not a UTF8 encoded string";
+    }
+
+    return {};
+}
+
+Result<std::pair<int, std::vector<std::string>>> ParseRestorecon(
+        const std::vector<std::string>& args) {
+    struct flag_type {
+        const char* name;
+        int value;
+    };
+    static const flag_type flags[] = {
+            {"--recursive", SELINUX_ANDROID_RESTORECON_RECURSE},
+            {"--skip-ce", SELINUX_ANDROID_RESTORECON_SKIPCE},
+            {"--cross-filesystems", SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS},
+            {0, 0}};
+
+    int flag = 0;
+    std::vector<std::string> paths;
+
+    bool in_flags = true;
+    for (size_t i = 1; i < args.size(); ++i) {
+        if (android::base::StartsWith(args[i], "--")) {
+            if (!in_flags) {
+                return Error() << "flags must precede paths";
+            }
+            bool found = false;
+            for (size_t j = 0; flags[j].name; ++j) {
+                if (args[i] == flags[j].name) {
+                    flag |= flags[j].value;
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                return Error() << "bad flag " << args[i];
+            }
+        } else {
+            in_flags = false;
+            paths.emplace_back(args[i]);
+        }
+    }
+    return std::pair(flag, paths);
+}
+
 static void InitAborter(const char* abort_message) {
     // When init forks, it continues to use this aborter for LOG(FATAL), but we want children to
     // simply abort instead of trying to reboot the system.