Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 6d38eda694303340fde96da0466d122efe052233 / . / keystore / permissions.cpp
blob: 92daa1d833370b1fc198d2d1f01cf1be228906c7 [file] [log] [blame]
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "keystore"
18
19#include "permissions.h"
20
21#include <cutils/log.h>
22#include <cutils/sockets.h>
23#include <private/android_filesystem_config.h>
24
25#include <selinux/android.h>
26
27#include "keystore_utils.h"
28
29/* perm_labels associcated with keystore_key SELinux class verbs. */
30const char* perm_labels[] = {
31 "get_state", "get", "insert", "delete", "exist", "list",
32 "reset", "password", "lock", "unlock", "is_empty", "sign",
33 "verify", "grant", "duplicate", "clear_uid", "add_auth", "user_changed",
34};
35
36struct user_euid {
37 uid_t uid;
38 uid_t euid;
39};
40
41user_euid user_euids[] = {
42 {AID_VPN, AID_SYSTEM}, {AID_WIFI, AID_SYSTEM}, {AID_ROOT, AID_SYSTEM},
Roshan Pius6d38eda2017-03-30 14:50:23 -0700[diff] [blame^]43 {AID_WIFI, AID_KEYSTORE}, {AID_KEYSTORE, AID_WIFI}
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]44};
45
46struct user_perm {
47 uid_t uid;
48 perm_t perms;
49};
50
51static user_perm user_perms[] = {
52 {AID_SYSTEM, static_cast<perm_t>((uint32_t)(~0))},
53 {AID_VPN, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)},
54 {AID_WIFI, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)},
55 {AID_ROOT, static_cast<perm_t>(P_GET)},
56};
57
58static const perm_t DEFAULT_PERMS = static_cast<perm_t>(P_GET_STATE | P_GET | P_INSERT | P_DELETE |
59 P_EXIST | P_LIST | P_SIGN | P_VERIFY);
60
61struct audit_data {
62 pid_t pid;
63 uid_t uid;
64};
65
66const char* get_perm_label(perm_t perm) {
67 unsigned int index = ffs(perm);
68 if (index > 0 && index <= (sizeof(perm_labels) / sizeof(perm_labels[0]))) {
69 return perm_labels[index - 1];
70 } else {
71 ALOGE("Keystore: Failed to retrieve permission label.\n");
72 abort();
73 }
74}
75
76static int audit_callback(void* data, security_class_t /* cls */, char* buf, size_t len) {
77 struct audit_data* ad = reinterpret_cast<struct audit_data*>(data);
78 if (!ad) {
79 ALOGE("No keystore audit data");
80 return 0;
81 }
82
83 snprintf(buf, len, "pid=%d uid=%d", ad->pid, ad->uid);
84 return 0;
85}
86
87static char* tctx;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]88
89int configure_selinux() {
Nick Kralevichd13eef02016-12-09 17:11:22 -0800[diff] [blame]90 union selinux_callback cb;
91 cb.func_audit = audit_callback;
92 selinux_set_callback(SELINUX_CB_AUDIT, cb);
93 cb.func_log = selinux_log_callback;
94 selinux_set_callback(SELINUX_CB_LOG, cb);
95 if (getcon(&tctx) != 0) {
96 ALOGE("SELinux: Could not acquire target context. Aborting keystore.\n");
97 return -1;
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]98 }
99
100 return 0;
101}
102
103static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid) {
Shawn Willdenc1d1fee2016-01-26 22:44:56 -0700[diff] [blame]104 audit_data ad;
105 char* sctx = NULL;
106 const char* selinux_class = "keystore_key";
107 const char* str_perm = get_perm_label(perm);
108
109 if (!str_perm) {
110 return false;
111 }
112
113 if (getpidcon(spid, &sctx) != 0) {
114 ALOGE("SELinux: Failed to get source pid context.\n");
115 return false;
116 }
117
118 ad.pid = spid;
119 ad.uid = uid;
120
121 bool allowed = selinux_check_access(sctx, tctx, selinux_class, str_perm,
122 reinterpret_cast<void*>(&ad)) == 0;
123 freecon(sctx);
124 return allowed;
125}
126
127/**
128 * Returns the UID that the callingUid should act as. This is here for
129 * legacy support of the WiFi and VPN systems and should be removed
130 * when WiFi can operate in its own namespace.
131 */
132uid_t get_keystore_euid(uid_t uid) {
133 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
134 struct user_euid user = user_euids[i];
135 if (user.uid == uid) {
136 return user.euid;
137 }
138 }
139
140 return uid;
141}
142
143bool has_permission(uid_t uid, perm_t perm, pid_t spid) {
144 // All system users are equivalent for multi-user support.
145 if (get_app_id(uid) == AID_SYSTEM) {
146 uid = AID_SYSTEM;
147 }
148
149 for (size_t i = 0; i < sizeof(user_perms) / sizeof(user_perms[0]); i++) {
150 struct user_perm user = user_perms[i];
151 if (user.uid == uid) {
152 return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid);
153 }
154 }
155
156 return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid);
157}
158
159/**
160 * Returns true if the callingUid is allowed to interact in the targetUid's
161 * namespace.
162 */
163bool is_granted_to(uid_t callingUid, uid_t targetUid) {
164 if (callingUid == targetUid) {
165 return true;
166 }
167 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
168 struct user_euid user = user_euids[i];
169 if (user.euid == callingUid && user.uid == targetUid) {
170 return true;
171 }
172 }
173
174 return false;
175}