前言
- 搞Android应用安全,总会遇到一个概念叫“系统应用”。相比于这个概念,实际上更容易理解的是priv_app、platform_app以及system_app,之前的文章也有介绍这个问题。不过今天这篇文章就是关于系统应用的。
一、系统应用和特权应用到底是什么
- 其实系统应用这个名称,是从英文System App翻译过来的,注意系统应用(System App)这个概念和SELinux标签system_app并没有什么关系。在源码中系统应用指的是带有
FLAG_SYSTEM标记的应用:// frameworks/base/core/java/android/content/pm/ApplicationInfo.java public boolean isSystemApp() { return (flags & ApplicationInfo.FLAG_SYSTEM) != 0; } - 具体哪些应用会带有
FLAG_SYSTEM标记,继续看源码:// frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java mSettings.addSharedUserLPw("android.uid.system", Process.SYSTEM_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.phone", RADIO_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.log", LOG_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.nfc", NFC_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.bluetooth", BLUETOOTH_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.shell", SHELL_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.se", SE_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); mSettings.addSharedUserLPw("android.uid.networkstack", NETWORKSTACK_UID, ApplicationInfo.FLAG_SYSTEM, ApplicationInfo.PRIVATE_FLAG_PRIVILEGED); - 可以看出第一部分是具备特权UID的应用,这些应用会成为系统应用。
// frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java // // Collect vendor/product/system_ext overlay packages. (Do this before scanning // any apps.) // For security and version matching reason, only consider overlay packages if they // reside in the right directory. for (int i = mDirsToScanAsSystem.size() - 1; i >= 0; i--) { final ScanPartition partition = mDirsToScanAsSystem.get(i); if (partition.getOverlayFolder() == null) { continue; } scanDirTracedLI(partition.getOverlayFolder(), systemParseFlags, systemScanFlags | partition.scanFlag, 0, packageParser, executorService); } scanDirTracedLI(frameworkDir, systemParseFlags, systemScanFlags | SCAN_NO_DEX | SCAN_AS_PRIVILEGED, 0, packageParser, executorService); if (!mPackages.containsKey("android")) { throw new IllegalStateException( "Failed to load frameworks package; check log for warnings"); } for (int i = 0, size = mDirsToScanAsSystem.size(); i < size; i++) { final ScanPartition partition = mDirsToScanAsSystem.get(i); if (partition.getPrivAppFolder() != null) { scanDirTracedLI(partition.getPrivAppFolder(), systemParseFlags, systemScanFlags | SCAN_AS_PRIVILEGED | partition.scanFlag, 0, packageParser, executorService); } scanDirTracedLI(partition.getAppFolder(), systemParseFlags, systemScanFlags | partition.scanFlag, 0, packageParser, executorService); } - 对于安装到mDirsToScanAsSystem里面的应用会设置systemScanFlags,这个标记实际上是
SCAN_AS_SYSTEM,该标记仅在PMS内部使用,后续会对应上ApplicationInfo.FLAG_SYSTEMfinal int systemScanFlags = scanFlags | SCAN_AS_SYSTEM; - mDirsToScanAsSystem的来源:
// frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java /** * The list of all system partitions that may contain packages in ascending order of * specificity (the more generic, the earlier in the list a partition appears). */ @VisibleForTesting(visibility = Visibility.PRIVATE) public static final List<ScanPartition> SYSTEM_PARTITIONS = Collections.unmodifiableList( PackagePartitions.getOrderedPartitions(ScanPartition::new)); //... final List<ScanPartition> scanPartitions = new ArrayList<>(); final List<ApexManager.ActiveApexInfo> activeApexInfos = mApexManager.getActiveApexInfos(); for (int i = 0; i < activeApexInfos.size(); i++) { final ScanPartition scanPartition = resolveApexToScanPartition(activeApexInfos.get(i)); if (scanPartition != null) { scanPartitions.add(scanPartition); } }
mDirsToScanAsSystem = new ArrayList<>();
mDirsToScanAsSystem.addAll(SYSTEM_PARTITIONS);
mDirsToScanAsSystem.addAll(scanPartitions);
- 这个SYSTEM_PARTITIONS最后会追溯到PackagePartitions里面:
```java
// frameworks/base/core/java/android/content/pm/PackagePartitions.java
/**
* The list of all system partitions that may contain packages in ascending order of
* specificity (the more generic, the earlier in the list a partition appears).
*/
private static final ArrayList<SystemPartition> SYSTEM_PARTITIONS =
new ArrayList<>(Arrays.asList(
new SystemPartition(Environment.getRootDirectory(), PARTITION_SYSTEM,
true /* containsPrivApp */, false /* containsOverlay */),
new SystemPartition(Environment.getVendorDirectory(), PARTITION_VENDOR,
true /* containsPrivApp */, true /* containsOverlay */),
new SystemPartition(Environment.getOdmDirectory(), PARTITION_ODM,
true /* containsPrivApp */, true /* containsOverlay */),
new SystemPartition(Environment.getOemDirectory(), PARTITION_OEM,
false /* containsPrivApp */, true /* containsOverlay */),
new SystemPartition(Environment.getProductDirectory(), PARTITION_PRODUCT,
true /* containsPrivApp */, true /* containsOverlay */),
new SystemPartition(Environment.getSystemExtDirectory(), PARTITION_SYSTEM_EXT,
true /* containsPrivApp */, true /* containsOverlay */)));</code></pre>
<ul>
<li>所以系统应用的范围是
<pre><code>/system/framework
/system/app
/system/priv-app
/vendor/app
/vendor/priv-app
/vendor/overlay
/odm/app
/odm/priv-app
/odm/overlay
/oem/app
/oem/overlay
/product/app
/product/priv-app
/product/overlay
/system_ext/app
/system_ext/priv-app
/system_ext/overlay</code></pre></li>
<li>而特权应用的范围是
<pre><code>/system/framework
/system/priv-app
/vendor/priv-app
/odm/priv-app
/product/priv-app
/system_ext/priv-app</code></pre></li>
</ul>
<h2>三、保护广播(protected-broadcast)</h2>
<ul>
<li>讲完了系统应用,来看保护广播的概念,保护广播标签是可以在AndroidManifest.xml中的标签。它的功能是保护特定Action的广播,限制其只能被特定条件的发送者发送,这个广播广泛被Android框架使用。
<pre><code class="language-xml"><protected-broadcast android:name="com.example.action.EXAMPLE" /></code></pre></li>
<li>该标签并不在Android SDK里面,普通三方应用没有使用该标签的意义,下面会进行解释。</li>
<li>谁能发送保护广播?只有7个UID和<code>isPersistent=true</code>的应用可以发送保护广播,详见下面的源代码:
<pre><code class="language-java">
// frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java</code></pre></li>
</ul>
<p>// Verify that protected broadcasts are only being sent by system code,
// and that system code is only sending protected broadcasts.
final boolean isProtectedBroadcast;
try {
isProtectedBroadcast = AppGlobals.getPackageManager().isProtectedBroadcast(action);
} catch (RemoteException e) {
Slog.w(TAG, "Remote exception", e);
return ActivityManager.BROADCAST_SUCCESS;
}
final boolean isCallerSystem;
switch (UserHandle.getAppId(callingUid)) {
case ROOT_UID:
case SYSTEM_UID:
case PHONE_UID:
case BLUETOOTH_UID:
case NFC_UID:
case SE_UID:
case NETWORK_STACK_UID:
isCallerSystem = true;
break;
default:
isCallerSystem = (callerApp != null) && callerApp.isPersistent();
break;
}
// First line security check before anything else: stop non-system apps from
// sending protected broadcasts.
if (!isCallerSystem) {
if (isProtectedBroadcast) {
String msg = "Permission Denial: not allowed to send broadcast "</p>
<ul>
<li>action + " from pid="</li>
<li>callingPid + ", uid=" + callingUid;
Slog.w(TAG, msg);
throw new SecurityException(msg);
} else if () //...
//...
<pre><code>
- 谁能定义保护广播?这个问题就和CVE-2020-0391漏洞有关了,先看正常的情况:
```java
// frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java/**
- Applies policy to the parsed package based upon the given policy flags.
- Ensures the package is in a good state.
- <p>
- Implementation detail: This method must NOT have any side effect. It would
- ideally be static, but, it requires locks to read system state.
*/
private static void applyPolicy(ParsedPackage parsedPackage, final @ParseFlags int parseFlags,
final @ScanFlags int scanFlags, AndroidPackage platformPkg,
boolean isUpdatedSystemApp) {
if ((scanFlags & SCAN_AS_SYSTEM) != 0) {
parsedPackage.setSystem(true);
// TODO(b/135203078): Can this be done in PackageParser? Or just inferred when the flag
// is set during parse.
if (parsedPackage.isDirectBootAware()) {
parsedPackage.setAllComponentsDirectBootAware(true);
}
if (compressedFileExists(parsedPackage.getCodePath())) {
parsedPackage.setStub(true);
}
} else {
parsedPackage
// Non system apps cannot mark any broadcast as protected
.clearProtectedBroadcasts()
// non system apps can't be flagged as core
.setCoreApp(false)
// clear flags not applicable to regular apps
.setPersistent(false)
.setDefaultToDeviceProtectedStorage(false)
.setDirectBootAware(false)
// non system apps can't have permission priority
.capPermissionPriorities();
}
//…
}- 可以看出,在(scanFlags & SCAN_AS_SYSTEM) != 0判断的else分支,调用了clearProtectedBroadcasts方法,意思就是,非系统应用不能定义保护广播,那反过来就可以说,只有系统应用才能定义保护广播。
四、CVE-2020-0391的出现
- 讲完了系统应用和保护广播,就可以说说这个漏洞了,它出现在Android 9和Android 10中,Android 8等更早期版本都不存在这个问题,Android 11中修复了此问题。可以看出来这个漏洞是“改出来的”漏洞。
- 漏洞源码如下所示:
/** * Applies policy to the parsed package based upon the given policy flags. * Ensures the package is in a good state. * <p> * Implementation detail: This method must NOT have any side effect. It would * ideally be static, but, it requires locks to read system state. */ private static void applyPolicy(PackageParser.Package pkg, final @ParseFlags int parseFlags, final @ScanFlags int scanFlags, PackageParser.Package platformPkg) { if ((scanFlags & SCAN_AS_SYSTEM) != 0) { //... } else { //... } if ((scanFlags & SCAN_AS_PRIVILEGED) == 0) { // clear protected broadcasts pkg.protectedBroadcasts = null; //... } - 虽然代码已经重构了很多,但是大家还是可以看出来,为什么清除保护广播定义的代码跑到了(scanFlags & SCAN_AS_PRIVILEGED) == 0的条件下了?也就是说,不是特权应用都不能定义保护广播了。
- 其实漏洞就在这里了,OEM们预期的情况是,系统应用都可以定义保护广播,但是Android 9把这个东西改掉了,变成了只有特权应用才可以定义保护广播,上面解释过了特权应用的范围比系统应用小很多,这样会造成非特权的系统应用定义这个标签无效,相应的广播也不会被保护。总结来看以下目录的应用会受到影响:
/vendor/overlay /product/overlay /product_services/overlay /odm/overlay /oem/overlay /system/app /vendor/app /odm/app /oem/app /product/app /product_services/app - 修复当然就是把代码再移回去,只要是SCAN_AS_SYSTEM的都可以定义保护广播。
五、CVE-2020-11164——在CVE-2020-0391实现system命令执行
- 上面讲到,在Android 9和10中,非特权的系统应用,被系统禁止了定义保护广播的能力,那么会造成什么影响呢?可以来看CVE-2020-11164这个漏洞,这个漏洞存在于大部分的高通机型上。
- 漏洞出现在一个名为
Perfdump的系统应用上,路径是/system/app/Perfdump/Perfdump.apk,显然这不是一个特权应用,所以它定义的保护广播会失效,那么它定义了哪些没被保护的保护广播呢?其中之一是:<protected-broadcast android:name="android.perfdump.action.EXT_EXEC_SHELL"/> - 一看这名字就不好了,不会是一个执行代码的功能吧,猜对了,其实真的是这样,而且这个应用还是system uid,也就是说,普通应用可以发一个广播,然后以system的身份执行命令。
Intent intent = new Intent("android.perfdump.action.EXT_EXEC_SHELL"); intent.setClassName("com.qualcomm.qti.perfdump", "com.qualcomm.qti.perfdump.StaticReceiver"); intent.putExtra("callerPackageName", "com.test"); intent.putExtra("shellCommand", <command_to_execute>); sendBroadcast(intent); - 这里再总结一下,这个
Perfdump.apk首先他是一个系统应用,但是他并没有被放在任何一个分区的priv-app目录下,所以在PMS进行包扫描的时候,是不会带上SCAN_AS_PRIVILEGED标签的,在有漏洞的系统上,这个应用所定义的受保护广播会被系统去除,这样一来任何应用都可以发送该广播实现命令执行。
六、总结
- 从这个案例来看Android中对于系统应用、特权应用和system uid的应用的划分还是非常混乱的,我们有以下事实:
- 系统应用是8个特定UID以及放在了系统只读路径下的应用
- 特权应用是放在各个分区下priv-app目录中的应用,和UID、签名无关
- 平台签名应用指的是应用的签名和android包一样的应用,和是否是系统应用、特权应用无关
- system uid的应用指的是共享了android.uid.system的平台签名应用,并且一定是系统应用(因为是那8个UID之一),和是否是特权应用无关
- 这样不良好的设计会给OEM开发者,以及Google自己的开发带来很多困惑,由此也会出现一些逻辑漏洞,这方面的问题值得我们继续关注。