gatekeeperd.cpp revision 0b0435ea87f87b31652a2c6272c1f77438bfcdf1
1/* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_TAG "gatekeeperd" 18 19#include "IGateKeeperService.h" 20 21#include <errno.h> 22#include <stdint.h> 23#include <inttypes.h> 24#include <fcntl.h> 25#include <unistd.h> 26 27#include <cutils/log.h> 28#include <utils/Log.h> 29 30#include <binder/IPCThreadState.h> 31#include <binder/IServiceManager.h> 32#include <binder/PermissionCache.h> 33#include <utils/String16.h> 34#include <utils/Log.h> 35 36#include <keystore/IKeystoreService.h> 37#include <keystore/keystore.h> // For error code 38#include <gatekeeper/password_handle.h> // for password_handle_t 39#include <hardware/gatekeeper.h> 40#include <hardware/hw_auth_token.h> 41 42#include "SoftGateKeeperDevice.h" 43 44namespace android { 45 46static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE"); 47static const String16 DUMP_PERMISSION("android.permission.DUMP"); 48 49class GateKeeperProxy : public BnGateKeeperService { 50public: 51 GateKeeperProxy() { 52 int ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &module); 53 if (ret < 0) { 54 ALOGW("falling back to software GateKeeper"); 55 soft_device.reset(new SoftGateKeeperDevice()); 56 } else { 57 ret = gatekeeper_open(module, &device); 58 if (ret < 0) 59 LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to open GateKeeper HAL"); 60 } 61 62 if (mark_cold_boot()) { 63 ALOGI("cold boot: clearing state"); 64 if (device != NULL && device->delete_all_users != NULL) { 65 device->delete_all_users(device); 66 } 67 } 68 } 69 70 virtual ~GateKeeperProxy() { 71 if (device) gatekeeper_close(device); 72 } 73 74 void store_sid(uint32_t uid, uint64_t sid) { 75 char filename[21]; 76 sprintf(filename, "%u", uid); 77 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 78 if (fd < 0) { 79 ALOGE("could not open file: %s: %s", filename, strerror(errno)); 80 return; 81 } 82 write(fd, &sid, sizeof(sid)); 83 close(fd); 84 } 85 86 bool mark_cold_boot() { 87 const char *filename = ".coldboot"; 88 if (access(filename, F_OK) == -1) { 89 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 90 if (fd < 0) { 91 ALOGE("could not open file: %s : %s", filename, strerror(errno)); 92 return false; 93 } 94 close(fd); 95 return true; 96 } 97 return false; 98 } 99 100 void maybe_store_sid(uint32_t uid, uint64_t sid) { 101 char filename[21]; 102 sprintf(filename, "%u", uid); 103 if (access(filename, F_OK) == -1) { 104 store_sid(uid, sid); 105 } 106 } 107 108 uint64_t read_sid(uint32_t uid) { 109 char filename[21]; 110 uint64_t sid; 111 sprintf(filename, "%u", uid); 112 int fd = open(filename, O_RDONLY); 113 if (fd < 0) return 0; 114 read(fd, &sid, sizeof(sid)); 115 close(fd); 116 return sid; 117 } 118 119 void clear_sid(uint32_t uid) { 120 char filename[21]; 121 sprintf(filename, "%u", uid); 122 if (remove(filename) < 0) { 123 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno)); 124 store_sid(uid, 0); 125 } 126 } 127 128 virtual int enroll(uint32_t uid, 129 const uint8_t *current_password_handle, uint32_t current_password_handle_length, 130 const uint8_t *current_password, uint32_t current_password_length, 131 const uint8_t *desired_password, uint32_t desired_password_length, 132 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) { 133 IPCThreadState* ipc = IPCThreadState::self(); 134 const int calling_pid = ipc->getCallingPid(); 135 const int calling_uid = ipc->getCallingUid(); 136 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 137 return PERMISSION_DENIED; 138 } 139 140 // need a desired password to enroll 141 if (desired_password_length == 0) return -EINVAL; 142 143 int ret; 144 if (device) { 145 const gatekeeper::password_handle_t *handle = 146 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle); 147 148 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) { 149 // handle is being re-enrolled from a software version. HAL probably won't accept 150 // the handle as valid, so we nullify it and enroll from scratch 151 current_password_handle = NULL; 152 current_password_handle_length = 0; 153 current_password = NULL; 154 current_password_length = 0; 155 } 156 157 ret = device->enroll(device, uid, current_password_handle, current_password_handle_length, 158 current_password, current_password_length, 159 desired_password, desired_password_length, 160 enrolled_password_handle, enrolled_password_handle_length); 161 } else { 162 ret = soft_device->enroll(uid, 163 current_password_handle, current_password_handle_length, 164 current_password, current_password_length, 165 desired_password, desired_password_length, 166 enrolled_password_handle, enrolled_password_handle_length); 167 } 168 169 if (ret == 0) { 170 gatekeeper::password_handle_t *handle = 171 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle); 172 store_sid(uid, handle->user_id); 173 bool rr; 174 175 // immediately verify this password so we don't ask the user to enter it again 176 // if they just created it. 177 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password, 178 desired_password_length, &rr); 179 } 180 181 return ret; 182 } 183 184 virtual int verify(uint32_t uid, 185 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 186 const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) { 187 uint8_t *auth_token; 188 uint32_t auth_token_length; 189 return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length, 190 provided_password, provided_password_length, 191 &auth_token, &auth_token_length, request_reenroll); 192 } 193 194 virtual int verifyChallenge(uint32_t uid, uint64_t challenge, 195 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 196 const uint8_t *provided_password, uint32_t provided_password_length, 197 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) { 198 IPCThreadState* ipc = IPCThreadState::self(); 199 const int calling_pid = ipc->getCallingPid(); 200 const int calling_uid = ipc->getCallingUid(); 201 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 202 return PERMISSION_DENIED; 203 } 204 205 // can't verify if we're missing either param 206 if ((enrolled_password_handle_length | provided_password_length) == 0) 207 return -EINVAL; 208 209 int ret; 210 if (device) { 211 const gatekeeper::password_handle_t *handle = 212 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle); 213 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to 214 // a HAL if there was none before 215 if (handle->version == 0 || handle->hardware_backed) { 216 ret = device->verify(device, uid, challenge, 217 enrolled_password_handle, enrolled_password_handle_length, 218 provided_password, provided_password_length, auth_token, auth_token_length, 219 request_reenroll); 220 } else { 221 // upgrade scenario, a HAL has been added to this device where there was none before 222 SoftGateKeeperDevice soft_dev; 223 ret = soft_dev.verify(uid, challenge, 224 enrolled_password_handle, enrolled_password_handle_length, 225 provided_password, provided_password_length, auth_token, auth_token_length, 226 request_reenroll); 227 228 if (ret == 0) { 229 // success! re-enroll with HAL 230 *request_reenroll = true; 231 } 232 } 233 } else { 234 ret = soft_device->verify(uid, challenge, 235 enrolled_password_handle, enrolled_password_handle_length, 236 provided_password, provided_password_length, auth_token, auth_token_length, 237 request_reenroll); 238 } 239 240 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) { 241 // TODO: cache service? 242 sp<IServiceManager> sm = defaultServiceManager(); 243 sp<IBinder> binder = sm->getService(String16("android.security.keystore")); 244 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); 245 if (service != NULL) { 246 status_t ret = service->addAuthToken(*auth_token, *auth_token_length); 247 if (ret != ResponseCode::NO_ERROR) { 248 ALOGE("Falure sending auth token to KeyStore: %d", ret); 249 } 250 } else { 251 ALOGE("Unable to communicate with KeyStore"); 252 } 253 } 254 255 if (ret == 0) { 256 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>( 257 enrolled_password_handle)->user_id); 258 } 259 260 return ret; 261 } 262 263 virtual uint64_t getSecureUserId(uint32_t uid) { 264 return read_sid(uid); 265 } 266 267 virtual void clearSecureUserId(uint32_t uid) { 268 IPCThreadState* ipc = IPCThreadState::self(); 269 const int calling_pid = ipc->getCallingPid(); 270 const int calling_uid = ipc->getCallingUid(); 271 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 272 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid); 273 return; 274 } 275 clear_sid(uid); 276 277 if (device != NULL && device->delete_user != NULL) { 278 device->delete_user(device, uid); 279 } 280 } 281 282 virtual status_t dump(int fd, const Vector<String16> &) { 283 IPCThreadState* ipc = IPCThreadState::self(); 284 const int pid = ipc->getCallingPid(); 285 const int uid = ipc->getCallingUid(); 286 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) { 287 return PERMISSION_DENIED; 288 } 289 290 if (device == NULL) { 291 const char *result = "Device not available"; 292 write(fd, result, strlen(result) + 1); 293 } else { 294 const char *result = "OK"; 295 write(fd, result, strlen(result) + 1); 296 } 297 298 return NO_ERROR; 299 } 300 301private: 302 gatekeeper_device_t *device; 303 UniquePtr<SoftGateKeeperDevice> soft_device; 304 const hw_module_t *module; 305}; 306}// namespace android 307 308int main(int argc, char* argv[]) { 309 ALOGI("Starting gatekeeperd..."); 310 if (argc < 2) { 311 ALOGE("A directory must be specified!"); 312 return 1; 313 } 314 if (chdir(argv[1]) == -1) { 315 ALOGE("chdir: %s: %s", argv[1], strerror(errno)); 316 return 1; 317 } 318 319 android::sp<android::IServiceManager> sm = android::defaultServiceManager(); 320 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy(); 321 android::status_t ret = sm->addService( 322 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy); 323 if (ret != android::OK) { 324 ALOGE("Couldn't register binder service!"); 325 return -1; 326 } 327 328 /* 329 * We're the only thread in existence, so we're just going to process 330 * Binder transaction as a single-threaded program. 331 */ 332 android::IPCThreadState::self()->joinThreadPool(); 333 return 0; 334} 335