blob: 3e815857a24a91fe18a8f02fc459ada257f04486 [file] [log] [blame]
Shawn Willdenc1d1fee2016-01-26 22:44:56 -07001/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "keystore"
18
19#include "permissions.h"
20
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070021#include <cutils/sockets.h>
Logan Chiencdc813f2018-04-23 13:52:28 +080022#include <log/log.h>
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070023#include <private/android_filesystem_config.h>
24
25#include <selinux/android.h>
26
27#include "keystore_utils.h"
28
29/* perm_labels associcated with keystore_key SELinux class verbs. */
30const char* perm_labels[] = {
Shawn Willdene2a7b522017-04-11 09:27:40 -060031 "get_state",
32 "get",
33 "insert",
34 "delete",
35 "exist",
36 "list",
37 "reset",
38 "password",
39 "lock",
40 "unlock",
41 "is_empty",
42 "sign",
43 "verify",
44 "grant",
45 "duplicate",
46 "clear_uid",
47 "add_auth",
48 "user_changed",
49 "gen_unique_id",
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070050};
51
52struct user_euid {
53 uid_t uid;
54 uid_t euid;
55};
56
Branden Archer84e72312019-01-04 10:33:16 -080057user_euid user_euids[] = {{AID_VPN, AID_SYSTEM},
Roshan Pius286c4b02019-10-08 19:34:21 -070058 // Wifi services will run in system_server on devices not using wifi
59 // mainline module.
Branden Archer84e72312019-01-04 10:33:16 -080060 {AID_WIFI, AID_SYSTEM},
Roshan Pius286c4b02019-10-08 19:34:21 -070061 // Wifi services will run in network_stack on devices using wifi mainline
62 // module.
63 {AID_WIFI, AID_NETWORK_STACK},
Branden Archer84e72312019-01-04 10:33:16 -080064 {AID_ROOT, AID_SYSTEM},
Victor Hsieh58c10ac2019-09-05 14:25:54 -070065 {AID_FSVERITY_CERT, AID_ROOT},
66 {AID_FSVERITY_CERT, AID_SYSTEM},
Branden Archer84e72312019-01-04 10:33:16 -080067
68#ifdef GRANT_ROOT_ALL_PERMISSIONS
69 // Allow VTS tests to act on behalf of the wifi user
70 {AID_WIFI, AID_ROOT}
71#endif
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070072};
73
74struct user_perm {
75 uid_t uid;
76 perm_t perms;
77};
78
79static user_perm user_perms[] = {
80 {AID_SYSTEM, static_cast<perm_t>((uint32_t)(~0))},
81 {AID_VPN, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)},
82 {AID_WIFI, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)},
Branden Archera930c142019-02-21 14:42:30 -080083 {AID_BLUETOOTH, static_cast<perm_t>(P_GET | P_INSERT | P_DELETE | P_EXIST | P_SIGN | P_VERIFY)},
Branden Archer84e72312019-01-04 10:33:16 -080084
85#ifdef GRANT_ROOT_ALL_PERMISSIONS
86 // Allow VTS tests running as root to perform all operations
87 {AID_ROOT, static_cast<perm_t>((uint32_t)(~0))},
88#else
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070089 {AID_ROOT, static_cast<perm_t>(P_GET)},
Branden Archer84e72312019-01-04 10:33:16 -080090#endif
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070091};
92
Shawn Willdene2a7b522017-04-11 09:27:40 -060093static const perm_t DEFAULT_PERMS = static_cast<perm_t>(
94 P_GET_STATE | P_GET | P_INSERT | P_DELETE | P_EXIST | P_LIST | P_SIGN | P_VERIFY |
95 P_GEN_UNIQUE_ID /* Only privileged apps can do this, but enforcement is done by SELinux */);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -070096
97struct audit_data {
98 pid_t pid;
99 uid_t uid;
Steven Moreland23115b02019-01-10 16:20:20 -0800100 const char* sid;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700101};
102
103const char* get_perm_label(perm_t perm) {
104 unsigned int index = ffs(perm);
105 if (index > 0 && index <= (sizeof(perm_labels) / sizeof(perm_labels[0]))) {
106 return perm_labels[index - 1];
107 } else {
108 ALOGE("Keystore: Failed to retrieve permission label.\n");
109 abort();
110 }
111}
112
113static int audit_callback(void* data, security_class_t /* cls */, char* buf, size_t len) {
114 struct audit_data* ad = reinterpret_cast<struct audit_data*>(data);
115 if (!ad) {
116 ALOGE("No keystore audit data");
117 return 0;
118 }
119
Steven Moreland23115b02019-01-10 16:20:20 -0800120 const char* sid = ad->sid ? ad->sid : "N/A";
121 snprintf(buf, len, "pid=%d uid=%d sid=%s", ad->pid, ad->uid, sid);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700122 return 0;
123}
124
125static char* tctx;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700126
127int configure_selinux() {
Nick Kralevichd13eef02016-12-09 17:11:22 -0800128 union selinux_callback cb;
129 cb.func_audit = audit_callback;
130 selinux_set_callback(SELINUX_CB_AUDIT, cb);
131 cb.func_log = selinux_log_callback;
132 selinux_set_callback(SELINUX_CB_LOG, cb);
133 if (getcon(&tctx) != 0) {
134 ALOGE("SELinux: Could not acquire target context. Aborting keystore.\n");
135 return -1;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700136 }
137
138 return 0;
139}
140
Steven Moreland23115b02019-01-10 16:20:20 -0800141static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid, const char* ssid) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700142 audit_data ad;
Yi Kongd2916752018-07-26 17:44:27 -0700143 char* sctx = nullptr;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700144 const char* selinux_class = "keystore_key";
145 const char* str_perm = get_perm_label(perm);
146
147 if (!str_perm) {
148 return false;
149 }
150
Steven Moreland23115b02019-01-10 16:20:20 -0800151 if (ssid == nullptr && getpidcon(spid, &sctx) != 0) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700152 ALOGE("SELinux: Failed to get source pid context.\n");
153 return false;
154 }
155
Steven Moreland23115b02019-01-10 16:20:20 -0800156 const char* use_sid = ssid ? ssid : sctx;
157
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700158 ad.pid = spid;
159 ad.uid = uid;
Steven Moreland23115b02019-01-10 16:20:20 -0800160 ad.sid = use_sid;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700161
Steven Moreland23115b02019-01-10 16:20:20 -0800162 bool allowed = selinux_check_access(use_sid, tctx, selinux_class, str_perm,
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700163 reinterpret_cast<void*>(&ad)) == 0;
164 freecon(sctx);
165 return allowed;
166}
167
168/**
169 * Returns the UID that the callingUid should act as. This is here for
170 * legacy support of the WiFi and VPN systems and should be removed
171 * when WiFi can operate in its own namespace.
172 */
173uid_t get_keystore_euid(uid_t uid) {
174 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
175 struct user_euid user = user_euids[i];
176 if (user.uid == uid) {
177 return user.euid;
178 }
179 }
180
181 return uid;
182}
183
Steven Moreland23115b02019-01-10 16:20:20 -0800184bool has_permission(uid_t uid, perm_t perm, pid_t spid, const char* sid) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700185 // All system users are equivalent for multi-user support.
186 if (get_app_id(uid) == AID_SYSTEM) {
187 uid = AID_SYSTEM;
188 }
189
Steven Moreland23115b02019-01-10 16:20:20 -0800190 if (sid == nullptr) {
191 android_errorWriteLog(0x534e4554, "121035042");
192 }
193
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700194 for (size_t i = 0; i < sizeof(user_perms) / sizeof(user_perms[0]); i++) {
195 struct user_perm user = user_perms[i];
196 if (user.uid == uid) {
Steven Moreland23115b02019-01-10 16:20:20 -0800197 return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid, sid);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700198 }
199 }
200
Steven Moreland23115b02019-01-10 16:20:20 -0800201 return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid, sid);
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700202}
203
204/**
205 * Returns true if the callingUid is allowed to interact in the targetUid's
206 * namespace.
207 */
208bool is_granted_to(uid_t callingUid, uid_t targetUid) {
209 if (callingUid == targetUid) {
210 return true;
211 }
212 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
213 struct user_euid user = user_euids[i];
214 if (user.euid == callingUid && user.uid == targetUid) {
215 return true;
216 }
217 }
218
219 return false;
220}