Blame - keystore/permissions.cpp - android_system_security

blob: 1d3fb8f01eaa9249bd661de8e05c96d2e87dfca5 [file] [log] [blame]

Shawn Willden	c1d1fee	2016-01-26 22:44:56 -0700	[diff] [blame]	1	/*
				2	* Copyright (C) 2016 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#define LOG_TAG "keystore"
				18
				19	#include "permissions.h"
				20
				21	#include <cutils/log.h>
				22	#include <cutils/sockets.h>
				23	#include <private/android_filesystem_config.h>
				24
				25	#include <selinux/android.h>
				26
				27	#include "keystore_utils.h"
				28
				29	/* perm_labels associcated with keystore_key SELinux class verbs. */
				30	const char* perm_labels[] = {
				31	"get_state", "get", "insert", "delete", "exist", "list",
				32	"reset", "password", "lock", "unlock", "is_empty", "sign",
				33	"verify", "grant", "duplicate", "clear_uid", "add_auth", "user_changed",
				34	};
				35
				36	struct user_euid {
				37	uid_t uid;
				38	uid_t euid;
				39	};
				40
				41	user_euid user_euids[] = {
				42	{AID_VPN, AID_SYSTEM}, {AID_WIFI, AID_SYSTEM}, {AID_ROOT, AID_SYSTEM},
				43	};
				44
				45	struct user_perm {
				46	uid_t uid;
				47	perm_t perms;
				48	};
				49
				50	static user_perm user_perms[] = {
				51	{AID_SYSTEM, static_cast<perm_t>((uint32_t)(~0))},
				52	{AID_VPN, static_cast<perm_t>(P_GET \| P_SIGN \| P_VERIFY)},
				53	{AID_WIFI, static_cast<perm_t>(P_GET \| P_SIGN \| P_VERIFY)},
				54	{AID_ROOT, static_cast<perm_t>(P_GET)},
				55	};
				56
				57	static const perm_t DEFAULT_PERMS = static_cast<perm_t>(P_GET_STATE \| P_GET \| P_INSERT \| P_DELETE \|
				58	P_EXIST \| P_LIST \| P_SIGN \| P_VERIFY);
				59
				60	struct audit_data {
				61	pid_t pid;
				62	uid_t uid;
				63	};
				64
				65	const char* get_perm_label(perm_t perm) {
				66	unsigned int index = ffs(perm);
				67	if (index > 0 && index <= (sizeof(perm_labels) / sizeof(perm_labels[0]))) {
				68	return perm_labels[index - 1];
				69	} else {
				70	ALOGE("Keystore: Failed to retrieve permission label.\n");
				71	abort();
				72	}
				73	}
				74
				75	static int audit_callback(void* data, security_class_t /* cls /, char buf, size_t len) {
				76	struct audit_data* ad = reinterpret_cast<struct audit_data*>(data);
				77	if (!ad) {
				78	ALOGE("No keystore audit data");
				79	return 0;
				80	}
				81
				82	snprintf(buf, len, "pid=%d uid=%d", ad->pid, ad->uid);
				83	return 0;
				84	}
				85
				86	static char* tctx;
Shawn Willden	c1d1fee	2016-01-26 22:44:56 -0700	[diff] [blame]	87
				88	int configure_selinux() {
Nick Kralevich	d13eef0	2016-12-09 17:11:22 -0800	[diff] [blame]	89	union selinux_callback cb;
				90	cb.func_audit = audit_callback;
				91	selinux_set_callback(SELINUX_CB_AUDIT, cb);
				92	cb.func_log = selinux_log_callback;
				93	selinux_set_callback(SELINUX_CB_LOG, cb);
				94	if (getcon(&tctx) != 0) {
				95	ALOGE("SELinux: Could not acquire target context. Aborting keystore.\n");
				96	return -1;
Shawn Willden	c1d1fee	2016-01-26 22:44:56 -0700	[diff] [blame]	97	}
				98
				99	return 0;
				100	}
				101
				102	static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid) {
Shawn Willden	c1d1fee	2016-01-26 22:44:56 -0700	[diff] [blame]	103	audit_data ad;
				104	char* sctx = NULL;
				105	const char* selinux_class = "keystore_key";
				106	const char* str_perm = get_perm_label(perm);
				107
				108	if (!str_perm) {
				109	return false;
				110	}
				111
				112	if (getpidcon(spid, &sctx) != 0) {
				113	ALOGE("SELinux: Failed to get source pid context.\n");
				114	return false;
				115	}
				116
				117	ad.pid = spid;
				118	ad.uid = uid;
				119
				120	bool allowed = selinux_check_access(sctx, tctx, selinux_class, str_perm,
				121	reinterpret_cast<void*>(&ad)) == 0;
				122	freecon(sctx);
				123	return allowed;
				124	}
				125
				126	/**
				127	* Returns the UID that the callingUid should act as. This is here for
				128	* legacy support of the WiFi and VPN systems and should be removed
				129	* when WiFi can operate in its own namespace.
				130	*/
				131	uid_t get_keystore_euid(uid_t uid) {
				132	for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
				133	struct user_euid user = user_euids[i];
				134	if (user.uid == uid) {
				135	return user.euid;
				136	}
				137	}
				138
				139	return uid;
				140	}
				141
				142	bool has_permission(uid_t uid, perm_t perm, pid_t spid) {
				143	// All system users are equivalent for multi-user support.
				144	if (get_app_id(uid) == AID_SYSTEM) {
				145	uid = AID_SYSTEM;
				146	}
				147
				148	for (size_t i = 0; i < sizeof(user_perms) / sizeof(user_perms[0]); i++) {
				149	struct user_perm user = user_perms[i];
				150	if (user.uid == uid) {
				151	return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid);
				152	}
				153	}
				154
				155	return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid);
				156	}
				157
				158	/**
				159	* Returns true if the callingUid is allowed to interact in the targetUid's
				160	* namespace.
				161	*/
				162	bool is_granted_to(uid_t callingUid, uid_t targetUid) {
				163	if (callingUid == targetUid) {
				164	return true;
				165	}
				166	for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
				167	struct user_euid user = user_euids[i];
				168	if (user.euid == callingUid && user.uid == targetUid) {
				169	return true;
				170	}
				171	}
				172
				173	return false;
				174	}