1/* Copyright 2008 The Android Open Source Project
2 */
3
4#include <errno.h>
5#include <fcntl.h>
6#include <inttypes.h>
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <cutils/android_filesystem_config.h>
12#include <cutils/multiuser.h>
13
14#include <selinux/android.h>
15#include <selinux/avc.h>
16
17#include "binder.h"
18
19#ifdef VENDORSERVICEMANAGER
20#define LOG_TAG "VendorServiceManager"
21#else
22#define LOG_TAG "ServiceManager"
23#endif
24#include <log/log.h>
25
26struct audit_data {
27    pid_t pid;
28    uid_t uid;
29    const char *name;
30};
31
32const char *str8(const uint16_t *x, size_t x_len)
33{
34    static char buf[128];
35    size_t max = 127;
36    char *p = buf;
37
38    if (x_len < max) {
39        max = x_len;
40    }
41
42    if (x) {
43        while ((max > 0) && (*x != '\0')) {
44            *p++ = *x++;
45            max--;
46        }
47    }
48    *p++ = 0;
49    return buf;
50}
51
52int str16eq(const uint16_t *a, const char *b)
53{
54    while (*a && *b)
55        if (*a++ != *b++) return 0;
56    if (*a || *b)
57        return 0;
58    return 1;
59}
60
61static char *service_manager_context;
62static struct selabel_handle* sehandle;
63
64static bool check_mac_perms(pid_t spid, uid_t uid, const char *tctx, const char *perm, const char *name)
65{
66    char *sctx = NULL;
67    const char *class = "service_manager";
68    bool allowed;
69    struct audit_data ad;
70
71    if (getpidcon(spid, &sctx) < 0) {
72        ALOGE("SELinux: getpidcon(pid=%d) failed to retrieve pid context.\n", spid);
73        return false;
74    }
75
76    ad.pid = spid;
77    ad.uid = uid;
78    ad.name = name;
79
80    int result = selinux_check_access(sctx, tctx, class, perm, (void *) &ad);
81    allowed = (result == 0);
82
83    freecon(sctx);
84    return allowed;
85}
86
87static bool check_mac_perms_from_getcon(pid_t spid, uid_t uid, const char *perm)
88{
89    return check_mac_perms(spid, uid, service_manager_context, perm, NULL);
90}
91
92static bool check_mac_perms_from_lookup(pid_t spid, uid_t uid, const char *perm, const char *name)
93{
94    bool allowed;
95    char *tctx = NULL;
96
97    if (!sehandle) {
98        ALOGE("SELinux: Failed to find sehandle. Aborting service_manager.\n");
99        abort();
100    }
101
102    if (selabel_lookup(sehandle, &tctx, name, 0) != 0) {
103        ALOGE("SELinux: No match for %s in service_contexts.\n", name);
104        return false;
105    }
106
107    allowed = check_mac_perms(spid, uid, tctx, perm, name);
108    freecon(tctx);
109    return allowed;
110}
111
112static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid)
113{
114    const char *perm = "add";
115
116    if (multiuser_get_app_id(uid) >= AID_APP) {
117        return 0; /* Don't allow apps to register services */
118    }
119
120    return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0;
121}
122
123static int svc_can_list(pid_t spid, uid_t uid)
124{
125    const char *perm = "list";
126    return check_mac_perms_from_getcon(spid, uid, perm) ? 1 : 0;
127}
128
129static int svc_can_find(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid)
130{
131    const char *perm = "find";
132    return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0;
133}
134
135struct svcinfo
136{
137    struct svcinfo *next;
138    uint32_t handle;
139    struct binder_death death;
140    int allow_isolated;
141    uint32_t dumpsys_priority;
142    size_t len;
143    uint16_t name[0];
144};
145
146struct svcinfo *svclist = NULL;
147
148struct svcinfo *find_svc(const uint16_t *s16, size_t len)
149{
150    struct svcinfo *si;
151
152    for (si = svclist; si; si = si->next) {
153        if ((len == si->len) &&
154            !memcmp(s16, si->name, len * sizeof(uint16_t))) {
155            return si;
156        }
157    }
158    return NULL;
159}
160
161void svcinfo_death(struct binder_state *bs, void *ptr)
162{
163    struct svcinfo *si = (struct svcinfo* ) ptr;
164
165    ALOGI("service '%s' died\n", str8(si->name, si->len));
166    if (si->handle) {
167        binder_release(bs, si->handle);
168        si->handle = 0;
169    }
170}
171
172uint16_t svcmgr_id[] = {
173    'a','n','d','r','o','i','d','.','o','s','.',
174    'I','S','e','r','v','i','c','e','M','a','n','a','g','e','r'
175};
176
177
178uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid)
179{
180    struct svcinfo *si = find_svc(s, len);
181
182    if (!si || !si->handle) {
183        return 0;
184    }
185
186    if (!si->allow_isolated) {
187        // If this service doesn't allow access from isolated processes,
188        // then check the uid to see if it is isolated.
189        uid_t appid = uid % AID_USER;
190        if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) {
191            return 0;
192        }
193    }
194
195    if (!svc_can_find(s, len, spid, uid)) {
196        return 0;
197    }
198
199    return si->handle;
200}
201
202int do_add_service(struct binder_state *bs, const uint16_t *s, size_t len, uint32_t handle,
203                   uid_t uid, int allow_isolated, uint32_t dumpsys_priority, pid_t spid) {
204    struct svcinfo *si;
205
206    //ALOGI("add_service('%s',%x,%s) uid=%d\n", str8(s, len), handle,
207    //        allow_isolated ? "allow_isolated" : "!allow_isolated", uid);
208
209    if (!handle || (len == 0) || (len > 127))
210        return -1;
211
212    if (!svc_can_register(s, len, spid, uid)) {
213        ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
214             str8(s, len), handle, uid);
215        return -1;
216    }
217
218    si = find_svc(s, len);
219    if (si) {
220        if (si->handle) {
221            ALOGE("add_service('%s',%x) uid=%d - ALREADY REGISTERED, OVERRIDE\n",
222                 str8(s, len), handle, uid);
223            svcinfo_death(bs, si);
224        }
225        si->handle = handle;
226    } else {
227        si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
228        if (!si) {
229            ALOGE("add_service('%s',%x) uid=%d - OUT OF MEMORY\n",
230                 str8(s, len), handle, uid);
231            return -1;
232        }
233        si->handle = handle;
234        si->len = len;
235        memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
236        si->name[len] = '\0';
237        si->death.func = (void*) svcinfo_death;
238        si->death.ptr = si;
239        si->allow_isolated = allow_isolated;
240        si->dumpsys_priority = dumpsys_priority;
241        si->next = svclist;
242        svclist = si;
243    }
244
245    binder_acquire(bs, handle);
246    binder_link_to_death(bs, handle, &si->death);
247    return 0;
248}
249
250int svcmgr_handler(struct binder_state *bs,
251                   struct binder_transaction_data *txn,
252                   struct binder_io *msg,
253                   struct binder_io *reply)
254{
255    struct svcinfo *si;
256    uint16_t *s;
257    size_t len;
258    uint32_t handle;
259    uint32_t strict_policy;
260    int allow_isolated;
261    uint32_t dumpsys_priority;
262
263    //ALOGI("target=%p code=%d pid=%d uid=%d\n",
264    //      (void*) txn->target.ptr, txn->code, txn->sender_pid, txn->sender_euid);
265
266    if (txn->target.ptr != BINDER_SERVICE_MANAGER)
267        return -1;
268
269    if (txn->code == PING_TRANSACTION)
270        return 0;
271
272    // Equivalent to Parcel::enforceInterface(), reading the RPC
273    // header with the strict mode policy mask and the interface name.
274    // Note that we ignore the strict_policy and don't propagate it
275    // further (since we do no outbound RPCs anyway).
276    strict_policy = bio_get_uint32(msg);
277    s = bio_get_string16(msg, &len);
278    if (s == NULL) {
279        return -1;
280    }
281
282    if ((len != (sizeof(svcmgr_id) / 2)) ||
283        memcmp(svcmgr_id, s, sizeof(svcmgr_id))) {
284        fprintf(stderr,"invalid id %s\n", str8(s, len));
285        return -1;
286    }
287
288    if (sehandle && selinux_status_updated() > 0) {
289#ifdef VENDORSERVICEMANAGER
290        struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle();
291#else
292        struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle();
293#endif
294        if (tmp_sehandle) {
295            selabel_close(sehandle);
296            sehandle = tmp_sehandle;
297        }
298    }
299
300    switch(txn->code) {
301    case SVC_MGR_GET_SERVICE:
302    case SVC_MGR_CHECK_SERVICE:
303        s = bio_get_string16(msg, &len);
304        if (s == NULL) {
305            return -1;
306        }
307        handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid);
308        if (!handle)
309            break;
310        bio_put_ref(reply, handle);
311        return 0;
312
313    case SVC_MGR_ADD_SERVICE:
314        s = bio_get_string16(msg, &len);
315        if (s == NULL) {
316            return -1;
317        }
318        handle = bio_get_ref(msg);
319        allow_isolated = bio_get_uint32(msg) ? 1 : 0;
320        dumpsys_priority = bio_get_uint32(msg);
321        if (do_add_service(bs, s, len, handle, txn->sender_euid, allow_isolated, dumpsys_priority,
322                           txn->sender_pid))
323            return -1;
324        break;
325
326    case SVC_MGR_LIST_SERVICES: {
327        uint32_t n = bio_get_uint32(msg);
328        uint32_t req_dumpsys_priority = bio_get_uint32(msg);
329
330        if (!svc_can_list(txn->sender_pid, txn->sender_euid)) {
331            ALOGE("list_service() uid=%d - PERMISSION DENIED\n",
332                    txn->sender_euid);
333            return -1;
334        }
335        si = svclist;
336        // walk through the list of services n times skipping services that
337        // do not support the requested priority
338        while (si) {
339            if (si->dumpsys_priority & req_dumpsys_priority) {
340                if (n == 0) break;
341                n--;
342            }
343            si = si->next;
344        }
345        if (si) {
346            bio_put_string16(reply, si->name);
347            return 0;
348        }
349        return -1;
350    }
351    default:
352        ALOGE("unknown code %d\n", txn->code);
353        return -1;
354    }
355
356    bio_put_uint32(reply, 0);
357    return 0;
358}
359
360
361static int audit_callback(void *data, __unused security_class_t cls, char *buf, size_t len)
362{
363    struct audit_data *ad = (struct audit_data *)data;
364
365    if (!ad || !ad->name) {
366        ALOGE("No service manager audit data");
367        return 0;
368    }
369
370    snprintf(buf, len, "service=%s pid=%d uid=%d", ad->name, ad->pid, ad->uid);
371    return 0;
372}
373
374int main(int argc, char** argv)
375{
376    struct binder_state *bs;
377    union selinux_callback cb;
378    char *driver;
379
380    if (argc > 1) {
381        driver = argv[1];
382    } else {
383        driver = "/dev/binder";
384    }
385
386    bs = binder_open(driver, 128*1024);
387    if (!bs) {
388#ifdef VENDORSERVICEMANAGER
389        ALOGW("failed to open binder driver %s\n", driver);
390        while (true) {
391            sleep(UINT_MAX);
392        }
393#else
394        ALOGE("failed to open binder driver %s\n", driver);
395#endif
396        return -1;
397    }
398
399    if (binder_become_context_manager(bs)) {
400        ALOGE("cannot become context manager (%s)\n", strerror(errno));
401        return -1;
402    }
403
404    cb.func_audit = audit_callback;
405    selinux_set_callback(SELINUX_CB_AUDIT, cb);
406    cb.func_log = selinux_log_callback;
407    selinux_set_callback(SELINUX_CB_LOG, cb);
408
409#ifdef VENDORSERVICEMANAGER
410    sehandle = selinux_android_vendor_service_context_handle();
411#else
412    sehandle = selinux_android_service_context_handle();
413#endif
414    selinux_status_open(true);
415
416    if (sehandle == NULL) {
417        ALOGE("SELinux: Failed to acquire sehandle. Aborting.\n");
418        abort();
419    }
420
421    if (getcon(&service_manager_context) != 0) {
422        ALOGE("SELinux: Failed to acquire service_manager context. Aborting.\n");
423        abort();
424    }
425
426
427    binder_loop(bs, svcmgr_handler);
428
429    return 0;
430}
431