From 08e98eeb1580ccf40a5ae1bfeb8373af9abaab9d Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Wed, 13 Jun 2018 18:14:23 +0800 Subject: [PATCH] Fail fast when possible --- su_daemon.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/su_daemon.c b/su_daemon.c index ea0704c32..cd887d0cf 100644 --- a/su_daemon.c +++ b/su_daemon.c @@ -174,13 +174,13 @@ static struct su_info *get_su_info(unsigned uid) { break; case ROOT_ACCESS_ADB_ONLY: if (info->uid != UID_SHELL) { - LOGE("Root access is disabled for ADB!\n"); + LOGE("Root access limited to ADB only!\n"); info->access = NO_SU_ACCESS; } break; case ROOT_ACCESS_APPS_ONLY: if (info->uid == UID_SHELL) { - LOGE("Root access limited to ADB only!\n"); + LOGE("Root access is disabled for ADB!\n"); info->access = NO_SU_ACCESS; } break; @@ -221,6 +221,13 @@ void su_daemon_receiver(int client, struct ucred *credential) { .pipefd = { -1, -1 } }; + // Fail fast + if (ctx.info->access.policy == DENY && !ctx.info->access.log && !ctx.info->access.notify) { + UNLOCK_UID(); + write_int(client, DENY); + return; + } + // If still not determined, open a pipe and wait for results if (ctx.info->access.policy == QUERY) xpipe2(ctx.pipefd, O_CLOEXEC); @@ -230,10 +237,7 @@ void su_daemon_receiver(int client, struct ucred *credential) { * The parent process will wait for the result and * send the return code back to our client */ - int child = fork(); - if (child < 0) - PLOGE("fork"); - + int child = xfork(); if (child) { // Wait for results if (ctx.pipefd[0] >= 0) { @@ -284,7 +288,7 @@ void su_daemon_receiver(int client, struct ucred *credential) { UNLOCK_UID(); // ack - write_int(client, 1); + write_int(client, 0); // Become session leader xsetsid(); @@ -445,7 +449,11 @@ int su_client_main(int argc, char *argv[]) { } // Wait for acknowledgement from daemon - read_int(socketfd); + if (read_int(socketfd)) { + // Fast fail + fprintf(stderr, "%s\n", strerror(EACCES)); + return DENY; + } if (atty & ATTY_IN) { setup_sighandlers(sighandler);