Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / 97400bd86535f2b4ce337c0b160c799c1afeca57 / . / gatekeeperd / gatekeeperd.cpp
blob: 8700c3446348e133b05fedd189742aac7cc75f70 [file] [log] [blame]
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "gatekeeperd"
18
19#include "IGateKeeperService.h"
20
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]21#include <errno.h>
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]22#include <fcntl.h>
Mark Salyzyn66ce3e02016-09-28 10:07:20 -0700[diff] [blame]23#include <inttypes.h>
24#include <stdint.h>
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]25#include <unistd.h>
Justin Yun68b0ec62017-08-16 18:54:20 +0900[diff] [blame]26#include <memory>
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]27
Janis Danisevskisea893982018-11-02 15:27:51 -0700[diff] [blame]28#include <android/security/keystore/IKeystoreService.h>
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]29#include <android-base/logging.h>
30#include <android-base/properties.h>
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]31#include <binder/IPCThreadState.h>
32#include <binder/IServiceManager.h>
33#include <binder/PermissionCache.h>
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]34#include <gatekeeper/password_handle.h> // for password_handle_t
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]35#include <hardware/gatekeeper.h>
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]36#include <hardware/hw_auth_token.h>
Mark Salyzyn66ce3e02016-09-28 10:07:20 -0700[diff] [blame]37#include <keystore/keystore.h> // For error code
Dmitry Dementyev0dd259c2017-11-14 12:53:39 -0800[diff] [blame]38#include <keystore/keystore_return_types.h>
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]39#include <libgsi/libgsi.h>
Mark Salyzyn30f991f2017-01-10 13:19:54 -0800[diff] [blame]40#include <log/log.h>
Mark Salyzyn66ce3e02016-09-28 10:07:20 -0700[diff] [blame]41#include <utils/Log.h>
42#include <utils/String16.h>
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]43
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]44#include "SoftGateKeeperDevice.h"
45
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]46#include <hidl/HidlSupport.h>
47#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
48
49using android::sp;
50using android::hardware::gatekeeper::V1_0::IGatekeeper;
51using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
52using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
53using android::hardware::Return;
54
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]55namespace android {
56
57static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
58static const String16 DUMP_PERMISSION("android.permission.DUMP");
59
60class GateKeeperProxy : public BnGateKeeperService {
61public:
62 GateKeeperProxy() {
Adrian Rooscb4ed1b2017-04-12 13:03:04 -0700[diff] [blame]63 clear_state_if_needed_done = false;
Chris Phoenixa84ce0c2017-01-24 13:09:39 -0800[diff] [blame]64 hw_device = IGatekeeper::getService();
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]65 is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
Andres Moralesfef908e2015-07-07 10:28:15 -0700[diff] [blame]66
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]67 if (hw_device == nullptr) {
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]68 ALOGW("falling back to software GateKeeper");
69 soft_device.reset(new SoftGateKeeperDevice());
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]70 }
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]71 }
72
73 virtual ~GateKeeperProxy() {
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]74 }
75
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]76 void store_sid(uint32_t uid, uint64_t sid) {
77 char filename[21];
George Burgess IVe7aa2b22016-03-02 14:02:55 -0800[diff] [blame]78 snprintf(filename, sizeof(filename), "%u", uid);
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]79 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
80 if (fd < 0) {
Andres Moralesdcb3fbd2015-04-17 09:00:28 -0700[diff] [blame]81 ALOGE("could not open file: %s: %s", filename, strerror(errno));
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]82 return;
83 }
84 write(fd, &sid, sizeof(sid));
85 close(fd);
86 }
87
Adrian Rooscb4ed1b2017-04-12 13:03:04 -0700[diff] [blame]88 void clear_state_if_needed() {
89 if (clear_state_if_needed_done) {
90 return;
91 }
92
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]93 if (mark_cold_boot() && !is_running_gsi) {
Adrian Rooscb4ed1b2017-04-12 13:03:04 -0700[diff] [blame]94 ALOGI("cold boot: clearing state");
95 if (hw_device != nullptr) {
96 hw_device->deleteAllUsers([](const GatekeeperResponse &){});
97 }
98 }
99
100 clear_state_if_needed_done = true;
101 }
102
Andres Morales3c2086d2015-06-24 10:21:16 -0700[diff] [blame]103 bool mark_cold_boot() {
104 const char *filename = ".coldboot";
105 if (access(filename, F_OK) == -1) {
106 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
107 if (fd < 0) {
108 ALOGE("could not open file: %s : %s", filename, strerror(errno));
109 return false;
110 }
111 close(fd);
112 return true;
113 }
114 return false;
115 }
116
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]117 void maybe_store_sid(uint32_t uid, uint64_t sid) {
118 char filename[21];
George Burgess IVe7aa2b22016-03-02 14:02:55 -0800[diff] [blame]119 snprintf(filename, sizeof(filename), "%u", uid);
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]120 if (access(filename, F_OK) == -1) {
121 store_sid(uid, sid);
122 }
123 }
124
125 uint64_t read_sid(uint32_t uid) {
126 char filename[21];
127 uint64_t sid;
George Burgess IVe7aa2b22016-03-02 14:02:55 -0800[diff] [blame]128 snprintf(filename, sizeof(filename), "%u", uid);
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]129 int fd = open(filename, O_RDONLY);
130 if (fd < 0) return 0;
131 read(fd, &sid, sizeof(sid));
Andres Morales0b0435e2015-07-10 09:47:09 -0700[diff] [blame]132 close(fd);
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]133 return sid;
134 }
135
Andres Moralesdcb3fbd2015-04-17 09:00:28 -0700[diff] [blame]136 void clear_sid(uint32_t uid) {
137 char filename[21];
George Burgess IVe7aa2b22016-03-02 14:02:55 -0800[diff] [blame]138 snprintf(filename, sizeof(filename), "%u", uid);
Andres Moralesdcb3fbd2015-04-17 09:00:28 -0700[diff] [blame]139 if (remove(filename) < 0) {
140 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
141 store_sid(uid, 0);
142 }
143 }
144
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]145 // This should only be called on uids being passed to the GateKeeper HAL. It ensures that
146 // secure storage shared across a GSI image and a host image will not overlap.
147 uint32_t adjust_uid(uint32_t uid) {
148 static constexpr uint32_t kGsiOffset = 1000000;
149 CHECK(uid < kGsiOffset);
150 CHECK(hw_device != nullptr);
151 if (is_running_gsi) {
152 return uid + kGsiOffset;
153 }
154 return uid;
155 }
156
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]157 virtual int enroll(uint32_t uid,
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]158 const uint8_t *current_password_handle, uint32_t current_password_handle_length,
159 const uint8_t *current_password, uint32_t current_password_length,
160 const uint8_t *desired_password, uint32_t desired_password_length,
161 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
162 IPCThreadState* ipc = IPCThreadState::self();
163 const int calling_pid = ipc->getCallingPid();
164 const int calling_uid = ipc->getCallingUid();
165 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
166 return PERMISSION_DENIED;
167 }
168
Adrian Rooscb4ed1b2017-04-12 13:03:04 -0700[diff] [blame]169 // Make sure to clear any state from before factory reset as soon as a credential is
170 // enrolled (which may happen during device setup).
171 clear_state_if_needed();
172
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]173 // need a desired password to enroll
174 if (desired_password_length == 0) return -EINVAL;
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]175
176 int ret;
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]177 if (hw_device != nullptr) {
Andres Morales835d96e2015-06-03 15:06:24 -0700[diff] [blame]178 const gatekeeper::password_handle_t *handle =
179 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
180
Andres Morales7f6dcf62015-06-24 18:40:24 -0700[diff] [blame]181 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
Andres Morales835d96e2015-06-03 15:06:24 -0700[diff] [blame]182 // handle is being re-enrolled from a software version. HAL probably won't accept
183 // the handle as valid, so we nullify it and enroll from scratch
184 current_password_handle = NULL;
185 current_password_handle_length = 0;
186 current_password = NULL;
187 current_password_length = 0;
188 }
189
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]190 android::hardware::hidl_vec<uint8_t> curPwdHandle;
191 curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),
192 current_password_handle_length);
193 android::hardware::hidl_vec<uint8_t> curPwd;
194 curPwd.setToExternal(const_cast<uint8_t*>(current_password),
195 current_password_length);
196 android::hardware::hidl_vec<uint8_t> newPwd;
197 newPwd.setToExternal(const_cast<uint8_t*>(desired_password),
198 desired_password_length);
199
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]200 uint32_t hw_uid = adjust_uid(uid);
201 Return<void> hwRes = hw_device->enroll(hw_uid, curPwdHandle, curPwd, newPwd,
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]202 [&ret, enrolled_password_handle, enrolled_password_handle_length]
203 (const GatekeeperResponse &rsp) {
204 ret = static_cast<int>(rsp.code); // propagate errors
205 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
206 if (enrolled_password_handle != nullptr &&
207 enrolled_password_handle_length != nullptr) {
208 *enrolled_password_handle = new uint8_t[rsp.data.size()];
209 *enrolled_password_handle_length = rsp.data.size();
210 memcpy(*enrolled_password_handle, rsp.data.data(),
211 *enrolled_password_handle_length);
212 }
213 ret = 0; // all success states are reported as 0
214 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {
215 ret = rsp.timeout;
216 }
217 });
Steven Moreland81330932017-01-03 17:01:27 -0800[diff] [blame]218 if (!hwRes.isOk()) {
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]219 ALOGE("enroll transaction failed\n");
220 ret = -1;
221 }
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]222 } else {
223 ret = soft_device->enroll(uid,
224 current_password_handle, current_password_handle_length,
225 current_password, current_password_length,
226 desired_password, desired_password_length,
227 enrolled_password_handle, enrolled_password_handle_length);
228 }
229
Alexey Polyudov8c635362016-09-07 18:51:28 -0700[diff] [blame]230 if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||
231 *enrolled_password_handle_length != sizeof(password_handle_t))) {
232 ret = GATEKEEPER_RESPONSE_ERROR;
233 ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",
234 *enrolled_password_handle, *enrolled_password_handle_length);
235 }
236
237 if (ret == GATEKEEPER_RESPONSE_OK) {
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]238 gatekeeper::password_handle_t *handle =
239 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
240 store_sid(uid, handle->user_id);
Andres Morales531e3e82015-06-01 17:23:04 -0700[diff] [blame]241 bool rr;
242
243 // immediately verify this password so we don't ask the user to enter it again
244 // if they just created it.
245 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
246 desired_password_length, &rr);
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]247 }
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]248
249 return ret;
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]250 }
251
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]252 virtual int verify(uint32_t uid,
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]253 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]254 const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) {
Kihyung Leed9ad02e2018-06-15 12:46:42 +0900[diff] [blame]255 uint8_t *auth_token = nullptr;
Andres Moralesc828ae82015-04-10 21:03:07 -0700[diff] [blame]256 uint32_t auth_token_length;
Kihyung Leed9ad02e2018-06-15 12:46:42 +0900[diff] [blame]257 int ret = verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
Andres Moralesc828ae82015-04-10 21:03:07 -0700[diff] [blame]258 provided_password, provided_password_length,
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]259 &auth_token, &auth_token_length, request_reenroll);
Kihyung Leed9ad02e2018-06-15 12:46:42 +0900[diff] [blame]260 delete [] auth_token;
261 return ret;
Andres Moralesc828ae82015-04-10 21:03:07 -0700[diff] [blame]262 }
263
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]264 virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
Andres Moralesc828ae82015-04-10 21:03:07 -0700[diff] [blame]265 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
266 const uint8_t *provided_password, uint32_t provided_password_length,
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]267 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]268 IPCThreadState* ipc = IPCThreadState::self();
269 const int calling_pid = ipc->getCallingPid();
270 const int calling_uid = ipc->getCallingUid();
271 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
272 return PERMISSION_DENIED;
273 }
274
275 // can't verify if we're missing either param
276 if ((enrolled_password_handle_length | provided_password_length) == 0)
277 return -EINVAL;
278
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]279 int ret;
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]280 if (hw_device != nullptr) {
Andres Morales835d96e2015-06-03 15:06:24 -0700[diff] [blame]281 const gatekeeper::password_handle_t *handle =
282 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
Andres Morales7f6dcf62015-06-24 18:40:24 -0700[diff] [blame]283 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
284 // a HAL if there was none before
285 if (handle->version == 0 || handle->hardware_backed) {
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]286 uint32_t hw_uid = adjust_uid(uid);
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]287 android::hardware::hidl_vec<uint8_t> curPwdHandle;
288 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),
289 enrolled_password_handle_length);
290 android::hardware::hidl_vec<uint8_t> enteredPwd;
291 enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),
292 provided_password_length);
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]293 Return<void> hwRes = hw_device->verify(hw_uid, challenge, curPwdHandle, enteredPwd,
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]294 [&ret, request_reenroll, auth_token, auth_token_length]
295 (const GatekeeperResponse &rsp) {
296 ret = static_cast<int>(rsp.code); // propagate errors
297 if (auth_token != nullptr && auth_token_length != nullptr &&
298 rsp.code >= GatekeeperStatusCode::STATUS_OK) {
299 *auth_token = new uint8_t[rsp.data.size()];
300 *auth_token_length = rsp.data.size();
301 memcpy(*auth_token, rsp.data.data(), *auth_token_length);
302 if (request_reenroll != nullptr) {
303 *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);
304 }
305 ret = 0; // all success states are reported as 0
306 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
307 rsp.timeout > 0) {
308 ret = rsp.timeout;
309 }
310 });
Steven Moreland81330932017-01-03 17:01:27 -0800[diff] [blame]311 if (!hwRes.isOk()) {
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]312 ALOGE("verify transaction failed\n");
313 ret = -1;
314 }
Andres Morales835d96e2015-06-03 15:06:24 -0700[diff] [blame]315 } else {
316 // upgrade scenario, a HAL has been added to this device where there was none before
317 SoftGateKeeperDevice soft_dev;
318 ret = soft_dev.verify(uid, challenge,
319 enrolled_password_handle, enrolled_password_handle_length,
320 provided_password, provided_password_length, auth_token, auth_token_length,
321 request_reenroll);
322
323 if (ret == 0) {
324 // success! re-enroll with HAL
325 *request_reenroll = true;
326 }
327 }
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]328 } else {
329 ret = soft_device->verify(uid, challenge,
330 enrolled_password_handle, enrolled_password_handle_length,
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]331 provided_password, provided_password_length, auth_token, auth_token_length,
332 request_reenroll);
Andres Morales33dfdc72015-05-12 15:37:20 -0700[diff] [blame]333 }
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]334
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]335 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]336 // TODO: cache service?
337 sp<IServiceManager> sm = defaultServiceManager();
338 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
Janis Danisevskisea893982018-11-02 15:27:51 -0700[diff] [blame]339 sp<security::keystore::IKeystoreService> service =
340 interface_cast<security::keystore::IKeystoreService>(binder);
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]341 if (service != NULL) {
Dmitry Dementyev0dd259c2017-11-14 12:53:39 -0800[diff] [blame]342 std::vector<uint8_t> auth_token_vector(*auth_token,
343 (*auth_token) + *auth_token_length);
344 int result = 0;
Brian Young388ff6b2018-02-22 23:35:48 +0000[diff] [blame]345 auto binder_result = service->addAuthToken(auth_token_vector, &result);
Dmitry Dementyev0dd259c2017-11-14 12:53:39 -0800[diff] [blame]346 if (!binder_result.isOk() || !keystore::KeyStoreServiceReturnCode(result).isOk()) {
347 ALOGE("Failure sending auth token to KeyStore: %" PRId32, result);
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]348 }
349 } else {
350 ALOGE("Unable to communicate with KeyStore");
351 }
352 }
353
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]354 if (ret == 0) {
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]355 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
356 enrolled_password_handle)->user_id);
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]357 }
358
Andres Moralesae242922015-05-18 09:26:19 -0700[diff] [blame]359 return ret;
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]360 }
361
Pavel Grafov9890f892017-06-28 19:03:58 +0100[diff] [blame]362 virtual uint64_t getSecureUserId(uint32_t uid) { return read_sid(uid); }
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]363
Andres Morales7c9c3bc2015-04-16 15:57:17 -0700[diff] [blame]364 virtual void clearSecureUserId(uint32_t uid) {
365 IPCThreadState* ipc = IPCThreadState::self();
366 const int calling_pid = ipc->getCallingPid();
367 const int calling_uid = ipc->getCallingUid();
368 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
369 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
370 return;
371 }
Andres Moralesdcb3fbd2015-04-17 09:00:28 -0700[diff] [blame]372 clear_sid(uid);
Andres Morales3c2086d2015-06-24 10:21:16 -0700[diff] [blame]373
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]374 if (hw_device != nullptr) {
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]375 uint32_t hw_uid = adjust_uid(uid);
376 hw_device->deleteUser(hw_uid, [] (const GatekeeperResponse &){});
Andres Morales3c2086d2015-06-24 10:21:16 -0700[diff] [blame]377 }
Andres Morales7c9c3bc2015-04-16 15:57:17 -0700[diff] [blame]378 }
379
Adrian Rooscb4ed1b2017-04-12 13:03:04 -0700[diff] [blame]380 virtual void reportDeviceSetupComplete() {
381 IPCThreadState* ipc = IPCThreadState::self();
382 const int calling_pid = ipc->getCallingPid();
383 const int calling_uid = ipc->getCallingUid();
384 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
385 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
386 return;
387 }
388
389 clear_state_if_needed();
390 }
391
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]392 virtual status_t dump(int fd, const Vector<String16> &) {
393 IPCThreadState* ipc = IPCThreadState::self();
394 const int pid = ipc->getCallingPid();
395 const int uid = ipc->getCallingUid();
396 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
397 return PERMISSION_DENIED;
398 }
399
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]400 if (hw_device == NULL) {
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]401 const char *result = "Device not available";
402 write(fd, result, strlen(result) + 1);
403 } else {
404 const char *result = "OK";
405 write(fd, result, strlen(result) + 1);
406 }
407
Elliott Hughes643268f2018-10-08 11:10:11 -0700[diff] [blame]408 return OK;
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]409 }
410
411private:
Alexey Polyudov275aece2016-10-18 13:59:26 -0700[diff] [blame]412 sp<IGatekeeper> hw_device;
Justin Yun68b0ec62017-08-16 18:54:20 +0900[diff] [blame]413 std::unique_ptr<SoftGateKeeperDevice> soft_device;
Adrian Rooscb4ed1b2017-04-12 13:03:04 -0700[diff] [blame]414
415 bool clear_state_if_needed_done;
David Anderson97400bd2019-02-15 15:59:39 -0800[diff] [blame^]416 bool is_running_gsi;
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]417};
418}// namespace android
419
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]420int main(int argc, char* argv[]) {
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]421 ALOGI("Starting gatekeeperd...");
Andres Morales6a49c2f2015-04-16 13:16:24 -0700[diff] [blame]422 if (argc < 2) {
423 ALOGE("A directory must be specified!");
424 return 1;
425 }
426 if (chdir(argv[1]) == -1) {
427 ALOGE("chdir: %s: %s", argv[1], strerror(errno));
428 return 1;
429 }
430
Andres Morales2d08dce2015-04-03 16:40:15 -0700[diff] [blame]431 android::sp<android::IServiceManager> sm = android::defaultServiceManager();
432 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
433 android::status_t ret = sm->addService(
434 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
435 if (ret != android::OK) {
436 ALOGE("Couldn't register binder service!");
437 return -1;
438 }
439
440 /*
441 * We're the only thread in existence, so we're just going to process
442 * Binder transaction as a single-threaded program.
443 */
444 android::IPCThreadState::self()->joinThreadPool();
445 return 0;
446}