1/* Copyright 2008 The Android Open Source Project 2 */ 3 4#include <errno.h> 5#include <fcntl.h> 6#include <inttypes.h> 7#include <stdio.h> 8#include <stdlib.h> 9#include <string.h> 10 11#include <cutils/android_filesystem_config.h> 12#include <cutils/multiuser.h> 13 14#include <selinux/android.h> 15#include <selinux/avc.h> 16 17#include "binder.h" 18 19#ifdef VENDORSERVICEMANAGER 20#define LOG_TAG "VendorServiceManager" 21#else 22#define LOG_TAG "ServiceManager" 23#endif 24#include <log/log.h> 25 26struct audit_data { 27 pid_t pid; 28 uid_t uid; 29 const char *name; 30}; 31 32const char *str8(const uint16_t *x, size_t x_len) 33{ 34 static char buf[128]; 35 size_t max = 127; 36 char *p = buf; 37 38 if (x_len < max) { 39 max = x_len; 40 } 41 42 if (x) { 43 while ((max > 0) && (*x != '\0')) { 44 *p++ = *x++; 45 max--; 46 } 47 } 48 *p++ = 0; 49 return buf; 50} 51 52int str16eq(const uint16_t *a, const char *b) 53{ 54 while (*a && *b) 55 if (*a++ != *b++) return 0; 56 if (*a || *b) 57 return 0; 58 return 1; 59} 60 61static char *service_manager_context; 62static struct selabel_handle* sehandle; 63 64static bool check_mac_perms(pid_t spid, uid_t uid, const char *tctx, const char *perm, const char *name) 65{ 66 char *sctx = NULL; 67 const char *class = "service_manager"; 68 bool allowed; 69 struct audit_data ad; 70 71 if (getpidcon(spid, &sctx) < 0) { 72 ALOGE("SELinux: getpidcon(pid=%d) failed to retrieve pid context.\n", spid); 73 return false; 74 } 75 76 ad.pid = spid; 77 ad.uid = uid; 78 ad.name = name; 79 80 int result = selinux_check_access(sctx, tctx, class, perm, (void *) &ad); 81 allowed = (result == 0); 82 83 freecon(sctx); 84 return allowed; 85} 86 87static bool check_mac_perms_from_getcon(pid_t spid, uid_t uid, const char *perm) 88{ 89 return check_mac_perms(spid, uid, service_manager_context, perm, NULL); 90} 91 92static bool check_mac_perms_from_lookup(pid_t spid, uid_t uid, const char *perm, const char *name) 93{ 94 bool allowed; 95 char *tctx = NULL; 96 97 if (!sehandle) { 98 ALOGE("SELinux: Failed to find sehandle. Aborting service_manager.\n"); 99 abort(); 100 } 101 102 if (selabel_lookup(sehandle, &tctx, name, 0) != 0) { 103 ALOGE("SELinux: No match for %s in service_contexts.\n", name); 104 return false; 105 } 106 107 allowed = check_mac_perms(spid, uid, tctx, perm, name); 108 freecon(tctx); 109 return allowed; 110} 111 112static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid) 113{ 114 const char *perm = "add"; 115 116 if (multiuser_get_app_id(uid) >= AID_APP) { 117 return 0; /* Don't allow apps to register services */ 118 } 119 120 return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0; 121} 122 123static int svc_can_list(pid_t spid, uid_t uid) 124{ 125 const char *perm = "list"; 126 return check_mac_perms_from_getcon(spid, uid, perm) ? 1 : 0; 127} 128 129static int svc_can_find(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid) 130{ 131 const char *perm = "find"; 132 return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0; 133} 134 135struct svcinfo 136{ 137 struct svcinfo *next; 138 uint32_t handle; 139 struct binder_death death; 140 int allow_isolated; 141 uint32_t dumpsys_priority; 142 size_t len; 143 uint16_t name[0]; 144}; 145 146struct svcinfo *svclist = NULL; 147 148struct svcinfo *find_svc(const uint16_t *s16, size_t len) 149{ 150 struct svcinfo *si; 151 152 for (si = svclist; si; si = si->next) { 153 if ((len == si->len) && 154 !memcmp(s16, si->name, len * sizeof(uint16_t))) { 155 return si; 156 } 157 } 158 return NULL; 159} 160 161void svcinfo_death(struct binder_state *bs, void *ptr) 162{ 163 struct svcinfo *si = (struct svcinfo* ) ptr; 164 165 ALOGI("service '%s' died\n", str8(si->name, si->len)); 166 if (si->handle) { 167 binder_release(bs, si->handle); 168 si->handle = 0; 169 } 170} 171 172uint16_t svcmgr_id[] = { 173 'a','n','d','r','o','i','d','.','o','s','.', 174 'I','S','e','r','v','i','c','e','M','a','n','a','g','e','r' 175}; 176 177 178uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid) 179{ 180 struct svcinfo *si = find_svc(s, len); 181 182 if (!si || !si->handle) { 183 return 0; 184 } 185 186 if (!si->allow_isolated) { 187 // If this service doesn't allow access from isolated processes, 188 // then check the uid to see if it is isolated. 189 uid_t appid = uid % AID_USER; 190 if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) { 191 return 0; 192 } 193 } 194 195 if (!svc_can_find(s, len, spid, uid)) { 196 return 0; 197 } 198 199 return si->handle; 200} 201 202int do_add_service(struct binder_state *bs, const uint16_t *s, size_t len, uint32_t handle, 203 uid_t uid, int allow_isolated, uint32_t dumpsys_priority, pid_t spid) { 204 struct svcinfo *si; 205 206 //ALOGI("add_service('%s',%x,%s) uid=%d\n", str8(s, len), handle, 207 // allow_isolated ? "allow_isolated" : "!allow_isolated", uid); 208 209 if (!handle || (len == 0) || (len > 127)) 210 return -1; 211 212 if (!svc_can_register(s, len, spid, uid)) { 213 ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n", 214 str8(s, len), handle, uid); 215 return -1; 216 } 217 218 si = find_svc(s, len); 219 if (si) { 220 if (si->handle) { 221 ALOGE("add_service('%s',%x) uid=%d - ALREADY REGISTERED, OVERRIDE\n", 222 str8(s, len), handle, uid); 223 svcinfo_death(bs, si); 224 } 225 si->handle = handle; 226 } else { 227 si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t)); 228 if (!si) { 229 ALOGE("add_service('%s',%x) uid=%d - OUT OF MEMORY\n", 230 str8(s, len), handle, uid); 231 return -1; 232 } 233 si->handle = handle; 234 si->len = len; 235 memcpy(si->name, s, (len + 1) * sizeof(uint16_t)); 236 si->name[len] = '\0'; 237 si->death.func = (void*) svcinfo_death; 238 si->death.ptr = si; 239 si->allow_isolated = allow_isolated; 240 si->dumpsys_priority = dumpsys_priority; 241 si->next = svclist; 242 svclist = si; 243 } 244 245 binder_acquire(bs, handle); 246 binder_link_to_death(bs, handle, &si->death); 247 return 0; 248} 249 250int svcmgr_handler(struct binder_state *bs, 251 struct binder_transaction_data *txn, 252 struct binder_io *msg, 253 struct binder_io *reply) 254{ 255 struct svcinfo *si; 256 uint16_t *s; 257 size_t len; 258 uint32_t handle; 259 uint32_t strict_policy; 260 int allow_isolated; 261 uint32_t dumpsys_priority; 262 263 //ALOGI("target=%p code=%d pid=%d uid=%d\n", 264 // (void*) txn->target.ptr, txn->code, txn->sender_pid, txn->sender_euid); 265 266 if (txn->target.ptr != BINDER_SERVICE_MANAGER) 267 return -1; 268 269 if (txn->code == PING_TRANSACTION) 270 return 0; 271 272 // Equivalent to Parcel::enforceInterface(), reading the RPC 273 // header with the strict mode policy mask and the interface name. 274 // Note that we ignore the strict_policy and don't propagate it 275 // further (since we do no outbound RPCs anyway). 276 strict_policy = bio_get_uint32(msg); 277 s = bio_get_string16(msg, &len); 278 if (s == NULL) { 279 return -1; 280 } 281 282 if ((len != (sizeof(svcmgr_id) / 2)) || 283 memcmp(svcmgr_id, s, sizeof(svcmgr_id))) { 284 fprintf(stderr,"invalid id %s\n", str8(s, len)); 285 return -1; 286 } 287 288 if (sehandle && selinux_status_updated() > 0) { 289#ifdef VENDORSERVICEMANAGER 290 struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle(); 291#else 292 struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle(); 293#endif 294 if (tmp_sehandle) { 295 selabel_close(sehandle); 296 sehandle = tmp_sehandle; 297 } 298 } 299 300 switch(txn->code) { 301 case SVC_MGR_GET_SERVICE: 302 case SVC_MGR_CHECK_SERVICE: 303 s = bio_get_string16(msg, &len); 304 if (s == NULL) { 305 return -1; 306 } 307 handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid); 308 if (!handle) 309 break; 310 bio_put_ref(reply, handle); 311 return 0; 312 313 case SVC_MGR_ADD_SERVICE: 314 s = bio_get_string16(msg, &len); 315 if (s == NULL) { 316 return -1; 317 } 318 handle = bio_get_ref(msg); 319 allow_isolated = bio_get_uint32(msg) ? 1 : 0; 320 dumpsys_priority = bio_get_uint32(msg); 321 if (do_add_service(bs, s, len, handle, txn->sender_euid, allow_isolated, dumpsys_priority, 322 txn->sender_pid)) 323 return -1; 324 break; 325 326 case SVC_MGR_LIST_SERVICES: { 327 uint32_t n = bio_get_uint32(msg); 328 uint32_t req_dumpsys_priority = bio_get_uint32(msg); 329 330 if (!svc_can_list(txn->sender_pid, txn->sender_euid)) { 331 ALOGE("list_service() uid=%d - PERMISSION DENIED\n", 332 txn->sender_euid); 333 return -1; 334 } 335 si = svclist; 336 // walk through the list of services n times skipping services that 337 // do not support the requested priority 338 while (si) { 339 if (si->dumpsys_priority & req_dumpsys_priority) { 340 if (n == 0) break; 341 n--; 342 } 343 si = si->next; 344 } 345 if (si) { 346 bio_put_string16(reply, si->name); 347 return 0; 348 } 349 return -1; 350 } 351 default: 352 ALOGE("unknown code %d\n", txn->code); 353 return -1; 354 } 355 356 bio_put_uint32(reply, 0); 357 return 0; 358} 359 360 361static int audit_callback(void *data, __unused security_class_t cls, char *buf, size_t len) 362{ 363 struct audit_data *ad = (struct audit_data *)data; 364 365 if (!ad || !ad->name) { 366 ALOGE("No service manager audit data"); 367 return 0; 368 } 369 370 snprintf(buf, len, "service=%s pid=%d uid=%d", ad->name, ad->pid, ad->uid); 371 return 0; 372} 373 374int main(int argc, char** argv) 375{ 376 struct binder_state *bs; 377 union selinux_callback cb; 378 char *driver; 379 380 if (argc > 1) { 381 driver = argv[1]; 382 } else { 383 driver = "/dev/binder"; 384 } 385 386 bs = binder_open(driver, 128*1024); 387 if (!bs) { 388#ifdef VENDORSERVICEMANAGER 389 ALOGW("failed to open binder driver %s\n", driver); 390 while (true) { 391 sleep(UINT_MAX); 392 } 393#else 394 ALOGE("failed to open binder driver %s\n", driver); 395#endif 396 return -1; 397 } 398 399 if (binder_become_context_manager(bs)) { 400 ALOGE("cannot become context manager (%s)\n", strerror(errno)); 401 return -1; 402 } 403 404 cb.func_audit = audit_callback; 405 selinux_set_callback(SELINUX_CB_AUDIT, cb); 406 cb.func_log = selinux_log_callback; 407 selinux_set_callback(SELINUX_CB_LOG, cb); 408 409#ifdef VENDORSERVICEMANAGER 410 sehandle = selinux_android_vendor_service_context_handle(); 411#else 412 sehandle = selinux_android_service_context_handle(); 413#endif 414 selinux_status_open(true); 415 416 if (sehandle == NULL) { 417 ALOGE("SELinux: Failed to acquire sehandle. Aborting.\n"); 418 abort(); 419 } 420 421 if (getcon(&service_manager_context) != 0) { 422 ALOGE("SELinux: Failed to acquire service_manager context. Aborting.\n"); 423 abort(); 424 } 425 426 427 binder_loop(bs, svcmgr_handler); 428 429 return 0; 430} 431