Revert "Add calls for SELinux MAC checks in keystore."
getcon fails if SELinux is disabled. Revert for now until
a more appropriate fix is made.
This reverts commit 0e542d0b849a42b6641bf64fd87c7076c98b73d1.
Bug: 15945719
Change-Id: Ifa24608b374ea3dc8b5569a5cd214db823a00f26
diff --git a/keystore/Android.mk b/keystore/Android.mk
index 22bba01..47b7e84 100644
--- a/keystore/Android.mk
+++ b/keystore/Android.mk
@@ -28,8 +28,7 @@
libkeystore_binder \
liblog \
libsoftkeymaster \
- libutils \
- libselinux
+ libutils
LOCAL_MODULE := keystore
LOCAL_MODULE_TAGS := optional
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index 5af534f..c083f1b 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -33,7 +33,6 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <arpa/inet.h>
-#include <string.h>
#include <openssl/aes.h>
#include <openssl/bio.h>
@@ -59,8 +58,6 @@
#include <keystore/keystore.h>
-#include <selinux/android.h>
-
#include "defaults.h"
/* KeyStore is a secured storage for key-value pairs. In this implementation,
@@ -155,26 +152,6 @@
P_CLEAR_UID = 1 << 15,
} perm_t;
-/* perm_labels associcated with keystore_key SELinux class verbs. */
-const char *perm_labels[] = {
- "test",
- "get",
- "insert",
- "delete",
- "exist",
- "saw",
- "reset",
- "password",
- "lock",
- "unlock",
- "zero",
- "sign",
- "verify",
- "grant",
- "duplicate",
- "clear_uid"
-};
-
static struct user_euid {
uid_t uid;
uid_t euid;
@@ -197,18 +174,6 @@
static const perm_t DEFAULT_PERMS = static_cast<perm_t>(P_TEST | P_GET | P_INSERT | P_DELETE | P_EXIST | P_SAW | P_SIGN
| P_VERIFY);
-static char *tctx;
-
-static const char *get_perm_label(perm_t perm) {
- unsigned int index = ffs(perm);
- if (index > 0 && index <= (sizeof(perm_labels) / sizeof(perm_labels[0]))) {
- return perm_labels[index - 1];
- } else {
- ALOGE("Keystore: Failed to retrieve permission label.\n");
- abort();
- }
-}
-
/**
* Returns the app ID (in the Android multi-user sense) for the current
* UNIX UID.
@@ -225,39 +190,21 @@
return uid / AID_USER;
}
-static bool has_permission(uid_t uid, perm_t perm, pid_t spid) {
+
+static bool has_permission(uid_t uid, perm_t perm) {
// All system users are equivalent for multi-user support.
if (get_app_id(uid) == AID_SYSTEM) {
uid = AID_SYSTEM;
}
- char *sctx = NULL;
- const char *selinux_class = "keystore_key";
- const char *str_perm = get_perm_label(perm);
-
- if (!str_perm) {
- return false;
- }
-
- if (getpidcon(spid, &sctx) != 0) {
- ALOGE("SELinux: Failed to get source pid context.\n");
- return false;
- }
-
for (size_t i = 0; i < sizeof(user_perms)/sizeof(user_perms[0]); i++) {
struct user_perm user = user_perms[i];
if (user.uid == uid) {
- bool result = (user.perms & perm) && (selinux_check_access(sctx,
- tctx, selinux_class, str_perm, NULL) == 0);
- freecon(sctx);
- return result;
+ return user.perms & perm;
}
}
- bool result = (DEFAULT_PERMS & perm) && (selinux_check_access(sctx,
- tctx, selinux_class, str_perm, NULL) == 0);
- freecon(sctx);
- return result;
+ return DEFAULT_PERMS & perm;
}
/**
@@ -1491,8 +1438,7 @@
int32_t test() {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_TEST, spid)) {
+ if (!has_permission(callingUid, P_TEST)) {
ALOGW("permission denied for %d: test", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1502,14 +1448,14 @@
int32_t get(const String16& name, uint8_t** item, size_t* itemLength) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_GET, spid)) {
+ if (!has_permission(callingUid, P_GET)) {
ALOGW("permission denied for %d: get", callingUid);
return ::PERMISSION_DENIED;
}
String8 name8(name);
Blob keyBlob;
+
ResponseCode responseCode = mKeyStore->getKeyForName(&keyBlob, name8, callingUid,
TYPE_GENERIC);
if (responseCode != ::NO_ERROR) {
@@ -1529,8 +1475,7 @@
int32_t insert(const String16& name, const uint8_t* item, size_t itemLength, int targetUid,
int32_t flags) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_INSERT, spid)) {
+ if (!has_permission(callingUid, P_INSERT)) {
ALOGW("permission denied for %d: insert", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1558,8 +1503,7 @@
int32_t del(const String16& name, int targetUid) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_DELETE, spid)) {
+ if (!has_permission(callingUid, P_DELETE)) {
ALOGW("permission denied for %d: del", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1584,8 +1528,7 @@
int32_t exist(const String16& name, int targetUid) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_EXIST, spid)) {
+ if (!has_permission(callingUid, P_EXIST)) {
ALOGW("permission denied for %d: exist", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1607,8 +1550,7 @@
int32_t saw(const String16& prefix, int targetUid, Vector<String16>* matches) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_SAW, spid)) {
+ if (!has_permission(callingUid, P_SAW)) {
ALOGW("permission denied for %d: saw", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1664,8 +1606,7 @@
int32_t reset() {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_RESET, spid)) {
+ if (!has_permission(callingUid, P_RESET)) {
ALOGW("permission denied for %d: reset", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1700,8 +1641,7 @@
*/
int32_t password(const String16& password) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_PASSWORD, spid)) {
+ if (!has_permission(callingUid, P_PASSWORD)) {
ALOGW("permission denied for %d: password", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1727,8 +1667,7 @@
int32_t lock() {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_LOCK, spid)) {
+ if (!has_permission(callingUid, P_LOCK)) {
ALOGW("permission denied for %d: lock", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1745,8 +1684,7 @@
int32_t unlock(const String16& pw) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_UNLOCK, spid)) {
+ if (!has_permission(callingUid, P_UNLOCK)) {
ALOGW("permission denied for %d: unlock", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1763,8 +1701,7 @@
int32_t zero() {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_ZERO, spid)) {
+ if (!has_permission(callingUid, P_ZERO)) {
ALOGW("permission denied for %d: zero", callingUid);
return -1;
}
@@ -1775,8 +1712,7 @@
int32_t generate(const String16& name, int32_t targetUid, int32_t keyType, int32_t keySize,
int32_t flags, Vector<sp<KeystoreArg> >* args) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_INSERT, spid)) {
+ if (!has_permission(callingUid, P_INSERT)) {
ALOGW("permission denied for %d: generate", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1927,8 +1863,7 @@
int32_t import(const String16& name, const uint8_t* data, size_t length, int targetUid,
int32_t flags) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_INSERT, spid)) {
+ if (!has_permission(callingUid, P_INSERT)) {
ALOGW("permission denied for %d: import", callingUid);
return ::PERMISSION_DENIED;
}
@@ -1954,8 +1889,7 @@
int32_t sign(const String16& name, const uint8_t* data, size_t length, uint8_t** out,
size_t* outLength) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_SIGN, spid)) {
+ if (!has_permission(callingUid, P_SIGN)) {
ALOGW("permission denied for %d: saw", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2005,8 +1939,7 @@
int32_t verify(const String16& name, const uint8_t* data, size_t dataLength,
const uint8_t* signature, size_t signatureLength) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_VERIFY, spid)) {
+ if (!has_permission(callingUid, P_VERIFY)) {
ALOGW("permission denied for %d: verify", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2067,8 +2000,7 @@
*/
int32_t get_pubkey(const String16& name, uint8_t** pubkey, size_t* pubkeyLength) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_GET, spid)) {
+ if (!has_permission(callingUid, P_GET)) {
ALOGW("permission denied for %d: get_pubkey", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2111,8 +2043,7 @@
int32_t del_key(const String16& name, int targetUid) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_DELETE, spid)) {
+ if (!has_permission(callingUid, P_DELETE)) {
ALOGW("permission denied for %d: del_key", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2156,8 +2087,7 @@
int32_t grant(const String16& name, int32_t granteeUid) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_GRANT, spid)) {
+ if (!has_permission(callingUid, P_GRANT)) {
ALOGW("permission denied for %d: grant", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2181,8 +2111,7 @@
int32_t ungrant(const String16& name, int32_t granteeUid) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_GRANT, spid)) {
+ if (!has_permission(callingUid, P_GRANT)) {
ALOGW("permission denied for %d: ungrant", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2205,8 +2134,7 @@
int64_t getmtime(const String16& name) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_GET, spid)) {
+ if (!has_permission(callingUid, P_GET)) {
ALOGW("permission denied for %d: getmtime", callingUid);
return -1L;
}
@@ -2239,8 +2167,7 @@
int32_t duplicate(const String16& srcKey, int32_t srcUid, const String16& destKey,
int32_t destUid) {
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_DUPLICATE, spid)) {
+ if (!has_permission(callingUid, P_DUPLICATE)) {
ALOGW("permission denied for %d: duplicate", callingUid);
return -1L;
}
@@ -2303,8 +2230,7 @@
int32_t clear_uid(int64_t targetUid64) {
uid_t targetUid = static_cast<uid_t>(targetUid64);
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- pid_t spid = IPCThreadState::self()->getCallingPid();
- if (!has_permission(callingUid, P_CLEAR_UID, spid)) {
+ if (!has_permission(callingUid, P_CLEAR_UID)) {
ALOGW("permission denied for %d: clear_uid", callingUid);
return ::PERMISSION_DENIED;
}
@@ -2448,14 +2374,6 @@
return 1;
}
- union selinux_callback cb;
- cb.func_log = selinux_log_callback;
- selinux_set_callback(SELINUX_CB_LOG, cb);
- if (getcon(&tctx) != 0) {
- ALOGE("SELinux: Could not acquire target context. Aborting keystore.\n");
- return -1;
- }
-
KeyStore keyStore(&entropy, dev);
keyStore.initialize();
android::sp<android::IServiceManager> sm = android::defaultServiceManager();
@@ -2473,6 +2391,5 @@
android::IPCThreadState::self()->joinThreadPool();
keymaster_device_release(dev);
-
return 1;
}