Blame - init/security.cpp - android_system_core

blob: 45a5412bf5ef9f38dcc3c2618dc4a38e904ac391 [file] [log] [blame]

Tom Cherry	0c8d6d2	2017-08-10 12:22:44 -0700	[diff] [blame^]	1	/*
				2	* Copyright (C) 2017 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include "security.h"
				18
				19	#include <errno.h>
				20	#include <fcntl.h>
				21	#include <unistd.h>
				22
				23	#include <fstream>
				24
				25	#include <android-base/logging.h>
				26	#include <android-base/unique_fd.h>
				27
				28	#include "util.h"
				29
				30	using android::base::unique_fd;
				31
				32	namespace android {
				33	namespace init {
				34
				35	// Writes 512 bytes of output from Hardware RNG (/dev/hw_random, backed
				36	// by Linux kernel's hw_random framework) into Linux RNG's via /dev/urandom.
				37	// Does nothing if Hardware RNG is not present.
				38	//
				39	// Since we don't yet trust the quality of Hardware RNG, these bytes are not
				40	// mixed into the primary pool of Linux RNG and the entropy estimate is left
				41	// unmodified.
				42	//
				43	// If the HW RNG device /dev/hw_random is present, we require that at least
				44	// 512 bytes read from it are written into Linux RNG. QA is expected to catch
				45	// devices/configurations where these I/O operations are blocking for a long
				46	// time. We do not reboot or halt on failures, as this is a best-effort
				47	// attempt.
				48	int MixHwrngIntoLinuxRngAction(const std::vector<std::string>& args) {
				49	unique_fd hwrandom_fd(
				50	TEMP_FAILURE_RETRY(open("/dev/hw_random", O_RDONLY \| O_NOFOLLOW \| O_CLOEXEC)));
				51	if (hwrandom_fd == -1) {
				52	if (errno == ENOENT) {
				53	LOG(INFO) << "/dev/hw_random not found";
				54	// It's not an error to not have a Hardware RNG.
				55	return 0;
				56	}
				57	PLOG(ERROR) << "Failed to open /dev/hw_random";
				58	return -1;
				59	}
				60
				61	unique_fd urandom_fd(
				62	TEMP_FAILURE_RETRY(open("/dev/urandom", O_WRONLY \| O_NOFOLLOW \| O_CLOEXEC)));
				63	if (urandom_fd == -1) {
				64	PLOG(ERROR) << "Failed to open /dev/urandom";
				65	return -1;
				66	}
				67
				68	char buf[512];
				69	size_t total_bytes_written = 0;
				70	while (total_bytes_written < sizeof(buf)) {
				71	ssize_t chunk_size =
				72	TEMP_FAILURE_RETRY(read(hwrandom_fd, buf, sizeof(buf) - total_bytes_written));
				73	if (chunk_size == -1) {
				74	PLOG(ERROR) << "Failed to read from /dev/hw_random";
				75	return -1;
				76	} else if (chunk_size == 0) {
				77	LOG(ERROR) << "Failed to read from /dev/hw_random: EOF";
				78	return -1;
				79	}
				80
				81	chunk_size = TEMP_FAILURE_RETRY(write(urandom_fd, buf, chunk_size));
				82	if (chunk_size == -1) {
				83	PLOG(ERROR) << "Failed to write to /dev/urandom";
				84	return -1;
				85	}
				86	total_bytes_written += chunk_size;
				87	}
				88
				89	LOG(INFO) << "Mixed " << total_bytes_written << " bytes from /dev/hw_random into /dev/urandom";
				90	return 0;
				91	}
				92
				93	static bool SetHighestAvailableOptionValue(std::string path, int min, int max) {
				94	std::ifstream inf(path, std::fstream::in);
				95	if (!inf) {
				96	LOG(ERROR) << "Cannot open for reading: " << path;
				97	return false;
				98	}
				99
				100	int current = max;
				101	while (current >= min) {
				102	// try to write out new value
				103	std::string str_val = std::to_string(current);
				104	std::ofstream of(path, std::fstream::out);
				105	if (!of) {
				106	LOG(ERROR) << "Cannot open for writing: " << path;
				107	return false;
				108	}
				109	of << str_val << std::endl;
				110	of.close();
				111
				112	// check to make sure it was recorded
				113	inf.seekg(0);
				114	std::string str_rec;
				115	inf >> str_rec;
				116	if (str_val.compare(str_rec) == 0) {
				117	break;
				118	}
				119	current--;
				120	}
				121	inf.close();
				122
				123	if (current < min) {
				124	LOG(ERROR) << "Unable to set minimum option value " << min << " in " << path;
				125	return false;
				126	}
				127	return true;
				128	}
				129
				130	#define MMAP_RND_PATH "/proc/sys/vm/mmap_rnd_bits"
				131	#define MMAP_RND_COMPAT_PATH "/proc/sys/vm/mmap_rnd_compat_bits"
				132
				133	// __attribute__((unused)) due to lack of mips support: see mips block in SetMmapRndBitsAction
				134	static bool __attribute__((unused)) SetMmapRndBitsMin(int start, int min, bool compat) {
				135	std::string path;
				136	if (compat) {
				137	path = MMAP_RND_COMPAT_PATH;
				138	} else {
				139	path = MMAP_RND_PATH;
				140	}
				141
				142	return SetHighestAvailableOptionValue(path, min, start);
				143	}
				144
				145	// Set /proc/sys/vm/mmap_rnd_bits and potentially
				146	// /proc/sys/vm/mmap_rnd_compat_bits to the maximum supported values.
				147	// Returns -1 if unable to set these to an acceptable value.
				148	//
				149	// To support this sysctl, the following upstream commits are needed:
				150	//
				151	// d07e22597d1d mm: mmap: add new /proc tunable for mmap_base ASLR
				152	// e0c25d958f78 arm: mm: support ARCH_MMAP_RND_BITS
				153	// 8f0d3aa9de57 arm64: mm: support ARCH_MMAP_RND_BITS
				154	// 9e08f57d684a x86: mm: support ARCH_MMAP_RND_BITS
				155	// ec9ee4acd97c drivers: char: random: add get_random_long()
				156	// 5ef11c35ce86 mm: ASLR: use get_random_long()
				157	int SetMmapRndBitsAction(const std::vector<std::string>& args) {
				158	// values are arch-dependent
				159	#if defined(USER_MODE_LINUX)
				160	// uml does not support mmap_rnd_bits
				161	return 0;
				162	#elif defined(__aarch64__)
				163	// arm64 supports 18 - 33 bits depending on pagesize and VA_SIZE
				164	if (SetMmapRndBitsMin(33, 24, false) && SetMmapRndBitsMin(16, 16, true)) {
				165	return 0;
				166	}
				167	#elif defined(__x86_64__)
				168	// x86_64 supports 28 - 32 bits
				169	if (SetMmapRndBitsMin(32, 32, false) && SetMmapRndBitsMin(16, 16, true)) {
				170	return 0;
				171	}
				172	#elif defined(__arm__) \|\| defined(__i386__)
				173	// check to see if we're running on 64-bit kernel
				174	bool h64 = !access(MMAP_RND_COMPAT_PATH, F_OK);
				175	// supported 32-bit architecture must have 16 bits set
				176	if (SetMmapRndBitsMin(16, 16, h64)) {
				177	return 0;
				178	}
				179	#elif defined(__mips__) \|\| defined(__mips64__)
				180	// TODO: add mips support b/27788820
				181	return 0;
				182	#else
				183	LOG(ERROR) << "Unknown architecture";
				184	#endif
				185
				186	LOG(ERROR) << "Unable to set adequate mmap entropy value!";
				187	panic();
				188	return -1;
				189	}
				190
				191	#define KPTR_RESTRICT_PATH "/proc/sys/kernel/kptr_restrict"
				192	#define KPTR_RESTRICT_MINVALUE 2
				193	#define KPTR_RESTRICT_MAXVALUE 4
				194
				195	// Set kptr_restrict to the highest available level.
				196	//
				197	// Aborts if unable to set this to an acceptable value.
				198	int SetKptrRestrictAction(const std::vector<std::string>& args) {
				199	std::string path = KPTR_RESTRICT_PATH;
				200
				201	if (!SetHighestAvailableOptionValue(path, KPTR_RESTRICT_MINVALUE, KPTR_RESTRICT_MAXVALUE)) {
				202	LOG(ERROR) << "Unable to set adequate kptr_restrict value!";
				203	panic();
				204	}
				205	return 0;
				206	}
				207
				208	} // namespace init
				209	} // namespace android