Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 7b5ebb37525d2bc0d97e2f2cb95e4456d234f55e^2..7b5ebb37525d2bc0d97e2f2cb95e4456d234f55e / .
commit7b5ebb37525d2bc0d97e2f2cb95e4456d234f55e[log] [tgz]
authorBranden Archer <brarcher@google.com>Thu Jan 31 08:30:17 2019 -0800
committerandroid-build-merger <android-build-merger@google.com>Thu Jan 31 08:30:17 2019 -0800
tree6f9f73c93aa3d81fcd52c067fb65797951dc8e90
parent436d39182cc351634a2e73a9635bb1e0887a794e [diff]
parentd10c58edbdcd2d19133ea4da5df8b9d3bf739116 [diff]
Merge "Grant VTS tests all permissions in keystore on userdebug/eng" am: 3ed33f4013 am: 7806acc7e8
am: d10c58edbd

Change-Id: Iad66984e3a462e3fdad7c5387d31671c31470fae

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index a7fcd38..fcf863d 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp

@@ -69,8 +69,6 @@
 
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";
-const int ID_ATTESTATION_REQUEST_GENERIC_INFO = 1 << 0;
-const int ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID = 1 << 1;
 
 struct BIGNUM_Delete {
     void operator()(BIGNUM* p) const { BN_free(p); }
@@ -966,9 +964,8 @@
     return Status::ok();
 }
 
-int isDeviceIdAttestationRequested(const KeymasterArguments& params) {
+bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
     const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
-    int result = 0;
     for (size_t i = 0; i < paramsVec.size(); ++i) {
         switch (paramsVec[i].tag) {
         case Tag::ATTESTATION_ID_BRAND:
@@ -976,18 +973,15 @@
         case Tag::ATTESTATION_ID_MANUFACTURER:
         case Tag::ATTESTATION_ID_MODEL:
         case Tag::ATTESTATION_ID_PRODUCT:
-            result |= ID_ATTESTATION_REQUEST_GENERIC_INFO;
-            break;
         case Tag::ATTESTATION_ID_IMEI:
         case Tag::ATTESTATION_ID_MEID:
         case Tag::ATTESTATION_ID_SERIAL:
-            result |= ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
-            break;
+            return true;
         default:
             continue;
         }
     }
-    return result;
+    return false;
 }
 
 Status KeyStoreService::attestKey(
@@ -1000,15 +994,7 @@
 
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
 
-    int needsIdAttestation = isDeviceIdAttestationRequested(params);
-    bool needsUniqueIdAttestation = needsIdAttestation & ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
-    bool isPrimaryUserSystemUid = (callingUid == AID_SYSTEM);
-    bool isSomeUserSystemUid = (get_app_id(callingUid) == AID_SYSTEM);
-    // Allow system context from any user to request attestation with basic device information,
-    // while only allow system context from user 0 (device owner) to request attestation with
-    // unique device ID.
-    if ((needsIdAttestation && !isSomeUserSystemUid) ||
-        (needsUniqueIdAttestation && !isPrimaryUserSystemUid)) {
+    if (isDeviceIdAttestationRequested(params) && (get_app_id(callingUid) != AID_SYSTEM)) {
         return AIDL_RETURN(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
     }
 
@@ -1236,7 +1222,8 @@
 bool KeyStoreService::checkBinderPermission(perm_t permission, int32_t targetUid) {
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
     pid_t spid = IPCThreadState::self()->getCallingPid();
-    if (!has_permission(callingUid, permission, spid)) {
+    const char* ssid = IPCThreadState::self()->getCallingSid();
+    if (!has_permission(callingUid, permission, spid, ssid)) {
         ALOGW("permission %s denied for %d", get_perm_label(permission), callingUid);
         return false;
     }
@@ -1254,7 +1241,8 @@
 bool KeyStoreService::checkBinderPermissionSelfOrSystem(perm_t permission, int32_t targetUid) {
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
     pid_t spid = IPCThreadState::self()->getCallingPid();
-    if (!has_permission(callingUid, permission, spid)) {
+    const char* ssid = IPCThreadState::self()->getCallingSid();
+    if (!has_permission(callingUid, permission, spid, ssid)) {
         ALOGW("permission %s denied for %d", get_perm_label(permission), callingUid);
         return false;
     }

diff --git a/keystore/keystore_main.cpp b/keystore/keystore_main.cpp
index 70f38cc..f3eadd7 100644
--- a/keystore/keystore_main.cpp
+++ b/keystore/keystore_main.cpp

@@ -156,6 +156,7 @@
     keyStore->initialize();
     android::sp<android::IServiceManager> sm = android::defaultServiceManager();
     android::sp<keystore::KeyStoreService> service = new keystore::KeyStoreService(keyStore);
+    service->setRequestingSid(true);
     android::status_t ret = sm->addService(android::String16("android.security.keystore"), service);
     CHECK(ret == android::OK) << "Couldn't register binder service!";
 

diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp
index d2313e3..c68be50 100644
--- a/keystore/permissions.cpp
+++ b/keystore/permissions.cpp

@@ -91,6 +91,7 @@
 struct audit_data {
     pid_t pid;
     uid_t uid;
+    const char* sid;
 };
 
 const char* get_perm_label(perm_t perm) {
@@ -110,7 +111,8 @@
         return 0;
     }
 
-    snprintf(buf, len, "pid=%d uid=%d", ad->pid, ad->uid);
+    const char* sid = ad->sid ? ad->sid : "N/A";
+    snprintf(buf, len, "pid=%d uid=%d sid=%s", ad->pid, ad->uid, sid);
     return 0;
 }
 
@@ -130,7 +132,7 @@
     return 0;
 }
 
-static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid) {
+static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid, const char* ssid) {
     audit_data ad;
     char* sctx = nullptr;
     const char* selinux_class = "keystore_key";
@@ -140,15 +142,18 @@
         return false;
     }
 
-    if (getpidcon(spid, &sctx) != 0) {
+    if (ssid == nullptr && getpidcon(spid, &sctx) != 0) {
         ALOGE("SELinux: Failed to get source pid context.\n");
         return false;
     }
 
+    const char* use_sid = ssid ? ssid : sctx;
+
     ad.pid = spid;
     ad.uid = uid;
+    ad.sid = use_sid;
 
-    bool allowed = selinux_check_access(sctx, tctx, selinux_class, str_perm,
+    bool allowed = selinux_check_access(use_sid, tctx, selinux_class, str_perm,
                                         reinterpret_cast<void*>(&ad)) == 0;
     freecon(sctx);
     return allowed;
@@ -170,20 +175,24 @@
     return uid;
 }
 
-bool has_permission(uid_t uid, perm_t perm, pid_t spid) {
+bool has_permission(uid_t uid, perm_t perm, pid_t spid, const char* sid) {
     // All system users are equivalent for multi-user support.
     if (get_app_id(uid) == AID_SYSTEM) {
         uid = AID_SYSTEM;
     }
 
+    if (sid == nullptr) {
+        android_errorWriteLog(0x534e4554, "121035042");
+    }
+
     for (size_t i = 0; i < sizeof(user_perms) / sizeof(user_perms[0]); i++) {
         struct user_perm user = user_perms[i];
         if (user.uid == uid) {
-            return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid);
+            return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid, sid);
         }
     }
 
-    return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid);
+    return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid, sid);
 }
 
 /**

diff --git a/keystore/permissions.h b/keystore/permissions.h
index 1f7b7a6..1dd0089 100644
--- a/keystore/permissions.h
+++ b/keystore/permissions.h

@@ -51,7 +51,12 @@
  */
 uid_t get_keystore_euid(uid_t uid);
 
-bool has_permission(uid_t uid, perm_t perm, pid_t spid);
+/**
+ * Returns true if the uid/pid/sid has a permission. Checks based on sid if available.
+ *
+ * sid may be null on older kernels
+ */
+bool has_permission(uid_t uid, perm_t perm, pid_t spid, const char* sid);
 
 /**
  * Returns true if the callingUid is allowed to interact in the targetUid's