service_manager.c revision 61f8dfa24b0846ae66328891f8facf9e06237c15 
1/* Copyright 2008 The Android Open Source Project
2 */
3
4#include <errno.h>
5#include <fcntl.h>
6#include <inttypes.h>
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <cutils/multiuser.h>
12
13#include <private/android_filesystem_config.h>
14
15#include <selinux/android.h>
16#include <selinux/avc.h>
17
18#include "binder.h"
19
20#ifdef VENDORSERVICEMANAGER
21#define LOG_TAG "VendorServiceManager"
22#else
23#define LOG_TAG "ServiceManager"
24#endif
25#include <log/log.h>
26
27struct audit_data {
28    pid_t pid;
29    uid_t uid;
30    const char *name;
31};
32
33const char *str8(const uint16_t *x, size_t x_len)
34{
35    static char buf[128];
36    size_t max = 127;
37    char *p = buf;
38
39    if (x_len < max) {
40        max = x_len;
41    }
42
43    if (x) {
44        while ((max > 0) && (*x != '\0')) {
45            *p++ = *x++;
46            max--;
47        }
48    }
49    *p++ = 0;
50    return buf;
51}
52
53int str16eq(const uint16_t *a, const char *b)
54{
55    while (*a && *b)
56        if (*a++ != *b++) return 0;
57    if (*a || *b)
58        return 0;
59    return 1;
60}
61
62static char *service_manager_context;
63static struct selabel_handle* sehandle;
64
65static bool check_mac_perms(pid_t spid, uid_t uid, const char *tctx, const char *perm, const char *name)
66{
67    char *sctx = NULL;
68    const char *class = "service_manager";
69    bool allowed;
70    struct audit_data ad;
71
72    if (getpidcon(spid, &sctx) < 0) {
73        ALOGE("SELinux: getpidcon(pid=%d) failed to retrieve pid context.\n", spid);
74        return false;
75    }
76
77    ad.pid = spid;
78    ad.uid = uid;
79    ad.name = name;
80
81    int result = selinux_check_access(sctx, tctx, class, perm, (void *) &ad);
82    allowed = (result == 0);
83
84    freecon(sctx);
85    return allowed;
86}
87
88static bool check_mac_perms_from_getcon(pid_t spid, uid_t uid, const char *perm)
89{
90    return check_mac_perms(spid, uid, service_manager_context, perm, NULL);
91}
92
93static bool check_mac_perms_from_lookup(pid_t spid, uid_t uid, const char *perm, const char *name)
94{
95    bool allowed;
96    char *tctx = NULL;
97
98    if (!sehandle) {
99        ALOGE("SELinux: Failed to find sehandle. Aborting service_manager.\n");
100        abort();
101    }
102
103    if (selabel_lookup(sehandle, &tctx, name, 0) != 0) {
104        ALOGE("SELinux: No match for %s in service_contexts.\n", name);
105        return false;
106    }
107
108    allowed = check_mac_perms(spid, uid, tctx, perm, name);
109    freecon(tctx);
110    return allowed;
111}
112
113static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid)
114{
115    const char *perm = "add";
116
117    if (multiuser_get_app_id(uid) >= AID_APP) {
118        return 0; /* Don't allow apps to register services */
119    }
120
121    return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0;
122}
123
124static int svc_can_list(pid_t spid, uid_t uid)
125{
126    const char *perm = "list";
127    return check_mac_perms_from_getcon(spid, uid, perm) ? 1 : 0;
128}
129
130static int svc_can_find(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid)
131{
132    const char *perm = "find";
133    return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0;
134}
135
136struct svcinfo
137{
138    struct svcinfo *next;
139    uint32_t handle;
140    struct binder_death death;
141    int allow_isolated;
142    size_t len;
143    uint16_t name[0];
144};
145
146struct svcinfo *svclist = NULL;
147
148struct svcinfo *find_svc(const uint16_t *s16, size_t len)
149{
150    struct svcinfo *si;
151
152    for (si = svclist; si; si = si->next) {
153        if ((len == si->len) &&
154            !memcmp(s16, si->name, len * sizeof(uint16_t))) {
155            return si;
156        }
157    }
158    return NULL;
159}
160
161void svcinfo_death(struct binder_state *bs, void *ptr)
162{
163    struct svcinfo *si = (struct svcinfo* ) ptr;
164
165    ALOGI("service '%s' died\n", str8(si->name, si->len));
166    if (si->handle) {
167        binder_release(bs, si->handle);
168        si->handle = 0;
169    }
170}
171
172uint16_t svcmgr_id[] = {
173    'a','n','d','r','o','i','d','.','o','s','.',
174    'I','S','e','r','v','i','c','e','M','a','n','a','g','e','r'
175};
176
177
178uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid)
179{
180    struct svcinfo *si = find_svc(s, len);
181
182    if (!si || !si->handle) {
183        return 0;
184    }
185
186    if (!si->allow_isolated) {
187        // If this service doesn't allow access from isolated processes,
188        // then check the uid to see if it is isolated.
189        uid_t appid = uid % AID_USER;
190        if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) {
191            return 0;
192        }
193    }
194
195    if (!svc_can_find(s, len, spid, uid)) {
196        return 0;
197    }
198
199    return si->handle;
200}
201
202int do_add_service(struct binder_state *bs,
203                   const uint16_t *s, size_t len,
204                   uint32_t handle, uid_t uid, int allow_isolated,
205                   pid_t spid)
206{
207    struct svcinfo *si;
208
209    //ALOGI("add_service('%s',%x,%s) uid=%d\n", str8(s, len), handle,
210    //        allow_isolated ? "allow_isolated" : "!allow_isolated", uid);
211
212    if (!handle || (len == 0) || (len > 127))
213        return -1;
214
215    if (!svc_can_register(s, len, spid, uid)) {
216        ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
217             str8(s, len), handle, uid);
218        return -1;
219    }
220
221    si = find_svc(s, len);
222    if (si) {
223        if (si->handle) {
224            ALOGE("add_service('%s',%x) uid=%d - ALREADY REGISTERED, OVERRIDE\n",
225                 str8(s, len), handle, uid);
226            svcinfo_death(bs, si);
227        }
228        si->handle = handle;
229    } else {
230        si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
231        if (!si) {
232            ALOGE("add_service('%s',%x) uid=%d - OUT OF MEMORY\n",
233                 str8(s, len), handle, uid);
234            return -1;
235        }
236        si->handle = handle;
237        si->len = len;
238        memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
239        si->name[len] = '\0';
240        si->death.func = (void*) svcinfo_death;
241        si->death.ptr = si;
242        si->allow_isolated = allow_isolated;
243        si->next = svclist;
244        svclist = si;
245    }
246
247    binder_acquire(bs, handle);
248    binder_link_to_death(bs, handle, &si->death);
249    return 0;
250}
251
252int svcmgr_handler(struct binder_state *bs,
253                   struct binder_transaction_data *txn,
254                   struct binder_io *msg,
255                   struct binder_io *reply)
256{
257    struct svcinfo *si;
258    uint16_t *s;
259    size_t len;
260    uint32_t handle;
261    uint32_t strict_policy;
262    int allow_isolated;
263
264    //ALOGI("target=%p code=%d pid=%d uid=%d\n",
265    //      (void*) txn->target.ptr, txn->code, txn->sender_pid, txn->sender_euid);
266
267    if (txn->target.ptr != BINDER_SERVICE_MANAGER)
268        return -1;
269
270    if (txn->code == PING_TRANSACTION)
271        return 0;
272
273    // Equivalent to Parcel::enforceInterface(), reading the RPC
274    // header with the strict mode policy mask and the interface name.
275    // Note that we ignore the strict_policy and don't propagate it
276    // further (since we do no outbound RPCs anyway).
277    strict_policy = bio_get_uint32(msg);
278    s = bio_get_string16(msg, &len);
279    if (s == NULL) {
280        return -1;
281    }
282
283    if ((len != (sizeof(svcmgr_id) / 2)) ||
284        memcmp(svcmgr_id, s, sizeof(svcmgr_id))) {
285        fprintf(stderr,"invalid id %s\n", str8(s, len));
286        return -1;
287    }
288
289    if (sehandle && selinux_status_updated() > 0) {
290#ifdef VENDORSERVICEMANAGER
291        struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle();
292#else
293        struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle();
294#endif
295        if (tmp_sehandle) {
296            selabel_close(sehandle);
297            sehandle = tmp_sehandle;
298        }
299    }
300
301    switch(txn->code) {
302    case SVC_MGR_GET_SERVICE:
303    case SVC_MGR_CHECK_SERVICE:
304        s = bio_get_string16(msg, &len);
305        if (s == NULL) {
306            return -1;
307        }
308        handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid);
309        if (!handle)
310            break;
311        bio_put_ref(reply, handle);
312        return 0;
313
314    case SVC_MGR_ADD_SERVICE:
315        s = bio_get_string16(msg, &len);
316        if (s == NULL) {
317            return -1;
318        }
319        handle = bio_get_ref(msg);
320        allow_isolated = bio_get_uint32(msg) ? 1 : 0;
321        if (do_add_service(bs, s, len, handle, txn->sender_euid,
322            allow_isolated, txn->sender_pid))
323            return -1;
324        break;
325
326    case SVC_MGR_LIST_SERVICES: {
327        uint32_t n = bio_get_uint32(msg);
328
329        if (!svc_can_list(txn->sender_pid, txn->sender_euid)) {
330            ALOGE("list_service() uid=%d - PERMISSION DENIED\n",
331                    txn->sender_euid);
332            return -1;
333        }
334        si = svclist;
335        while ((n-- > 0) && si)
336            si = si->next;
337        if (si) {
338            bio_put_string16(reply, si->name);
339            return 0;
340        }
341        return -1;
342    }
343    default:
344        ALOGE("unknown code %d\n", txn->code);
345        return -1;
346    }
347
348    bio_put_uint32(reply, 0);
349    return 0;
350}
351
352
353static int audit_callback(void *data, __unused security_class_t cls, char *buf, size_t len)
354{
355    struct audit_data *ad = (struct audit_data *)data;
356
357    if (!ad || !ad->name) {
358        ALOGE("No service manager audit data");
359        return 0;
360    }
361
362    snprintf(buf, len, "service=%s pid=%d uid=%d", ad->name, ad->pid, ad->uid);
363    return 0;
364}
365
366int main(int argc, char** argv)
367{
368    struct binder_state *bs;
369    union selinux_callback cb;
370    char *driver;
371
372    if (argc > 1) {
373        driver = argv[1];
374    } else {
375        driver = "/dev/binder";
376    }
377
378    bs = binder_open(driver, 128*1024);
379    if (!bs) {
380#ifdef VENDORSERVICEMANAGER
381        ALOGW("failed to open binder driver %s\n", driver);
382        while (true) {
383            sleep(UINT_MAX);
384        }
385#else
386        ALOGE("failed to open binder driver %s\n", driver);
387#endif
388        return -1;
389    }
390
391    if (binder_become_context_manager(bs)) {
392        ALOGE("cannot become context manager (%s)\n", strerror(errno));
393        return -1;
394    }
395
396    cb.func_audit = audit_callback;
397    selinux_set_callback(SELINUX_CB_AUDIT, cb);
398    cb.func_log = selinux_log_callback;
399    selinux_set_callback(SELINUX_CB_LOG, cb);
400
401#ifdef VENDORSERVICEMANAGER
402    sehandle = selinux_android_vendor_service_context_handle();
403#else
404    sehandle = selinux_android_service_context_handle();
405#endif
406    selinux_status_open(true);
407
408    if (sehandle == NULL) {
409        ALOGE("SELinux: Failed to acquire sehandle. Aborting.\n");
410        abort();
411    }
412
413    if (getcon(&service_manager_context) != 0) {
414        ALOGE("SELinux: Failed to acquire service_manager context. Aborting.\n");
415        abort();
416    }
417
418
419    binder_loop(bs, svcmgr_handler);
420
421    return 0;
422}
423