Add a way to disable run-as at runtime

This change adds the ro.boot.disable_runas system property, that when
set, disables the run-as command. This is done to reduce the surface
area of programs that have file based capabilities in Chrome OS, and
what they can do when running in non-developer mode.

Bug: 31630024
Test: run-as still works in aosp_sailfish
Test: run-as still works in Android in Chrome OS (in developer mode)
Change-Id: Iaf1d6f9ceb65081b7a9e17b9b91d8855e4080133
diff --git a/run-as/Android.mk b/run-as/Android.mk
index 7111fbe..0d0016c 100644
--- a/run-as/Android.mk
+++ b/run-as/Android.mk
@@ -3,6 +3,6 @@
 include $(CLEAR_VARS)
 LOCAL_CFLAGS := -Wall -Werror
 LOCAL_MODULE := run-as
-LOCAL_SHARED_LIBRARIES := libselinux libpackagelistparser libminijail
+LOCAL_SHARED_LIBRARIES := libbase libselinux libpackagelistparser libminijail
 LOCAL_SRC_FILES := run-as.cpp
 include $(BUILD_EXECUTABLE)
diff --git a/run-as/run-as.cpp b/run-as/run-as.cpp
index b27cfad..d005ecf 100644
--- a/run-as/run-as.cpp
+++ b/run-as/run-as.cpp
@@ -28,6 +28,7 @@
 #include <libminijail.h>
 #include <scoped_minijail.h>
 
+#include <android-base/properties.h>
 #include <packagelistparser/packagelistparser.h>
 #include <private/android_filesystem_config.h>
 #include <selinux/android.h>
@@ -40,6 +41,7 @@
 //  The 'run-as' binary is installed with CAP_SETUID and CAP_SETGID file
 //  capabilities, but will check the following:
 //
+//  - that the ro.boot.disable_runas property is not set
 //  - that it is invoked from the 'shell' or 'root' user (abort otherwise)
 //  - that '<package-name>' is the name of an installed and debuggable package
 //  - that the package's data directory is well-formed
@@ -139,6 +141,12 @@
     error(1, 0, "only 'shell' or 'root' users can run this program");
   }
 
+  // Some devices can disable running run-as, such as Chrome OS when running in
+  // non-developer mode.
+  if (android::base::GetBoolProperty("ro.boot.disable_runas", false)) {
+      error(1, 0, "run-as is disabled from the kernel commandline");
+  }
+
   char* pkgname = argv[1];
   int cmd_argv_offset = 2;