gatekeeperd.cpp revision ae242929da80d88a7db223984ec9baa5fd5949e6
1/* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_TAG "gatekeeperd" 18 19#include "IGateKeeperService.h" 20 21#include <errno.h> 22#include <stdint.h> 23#include <inttypes.h> 24#include <fcntl.h> 25#include <unistd.h> 26 27#include <cutils/log.h> 28#include <utils/Log.h> 29 30#include <binder/IPCThreadState.h> 31#include <binder/IServiceManager.h> 32#include <binder/PermissionCache.h> 33#include <utils/String16.h> 34 35#include <keystore/IKeystoreService.h> 36#include <keystore/keystore.h> // For error code 37#include <gatekeeper/password_handle.h> // for password_handle_t 38#include <hardware/gatekeeper.h> 39#include <hardware/hw_auth_token.h> 40 41#include "SoftGateKeeperDevice.h" 42 43namespace android { 44 45static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE"); 46static const String16 DUMP_PERMISSION("android.permission.DUMP"); 47 48class GateKeeperProxy : public BnGateKeeperService { 49public: 50 GateKeeperProxy() { 51 int ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &module); 52 if (ret < 0) { 53 ALOGW("falling back to software GateKeeper"); 54 soft_device.reset(new SoftGateKeeperDevice()); 55 } else { 56 ret = gatekeeper_open(module, &device); 57 if (ret < 0) 58 LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to open GateKeeper HAL"); 59 } 60 } 61 62 virtual ~GateKeeperProxy() { 63 if (device) gatekeeper_close(device); 64 } 65 66 void store_sid(uint32_t uid, uint64_t sid) { 67 char filename[21]; 68 sprintf(filename, "%u", uid); 69 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 70 if (fd < 0) { 71 ALOGE("could not open file: %s: %s", filename, strerror(errno)); 72 return; 73 } 74 write(fd, &sid, sizeof(sid)); 75 close(fd); 76 } 77 78 void maybe_store_sid(uint32_t uid, uint64_t sid) { 79 char filename[21]; 80 sprintf(filename, "%u", uid); 81 if (access(filename, F_OK) == -1) { 82 store_sid(uid, sid); 83 } 84 } 85 86 uint64_t read_sid(uint32_t uid) { 87 char filename[21]; 88 uint64_t sid; 89 sprintf(filename, "%u", uid); 90 int fd = open(filename, O_RDONLY); 91 if (fd < 0) return 0; 92 read(fd, &sid, sizeof(sid)); 93 return sid; 94 } 95 96 void clear_sid(uint32_t uid) { 97 char filename[21]; 98 sprintf(filename, "%u", uid); 99 if (remove(filename) < 0) { 100 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno)); 101 store_sid(uid, 0); 102 } 103 } 104 105 virtual int enroll(uint32_t uid, 106 const uint8_t *current_password_handle, uint32_t current_password_handle_length, 107 const uint8_t *current_password, uint32_t current_password_length, 108 const uint8_t *desired_password, uint32_t desired_password_length, 109 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) { 110 IPCThreadState* ipc = IPCThreadState::self(); 111 const int calling_pid = ipc->getCallingPid(); 112 const int calling_uid = ipc->getCallingUid(); 113 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 114 return PERMISSION_DENIED; 115 } 116 117 // need a desired password to enroll 118 if (desired_password_length == 0) return -EINVAL; 119 120 int ret; 121 if (device) { 122 ret = device->enroll(device, uid, 123 current_password_handle, current_password_handle_length, 124 current_password, current_password_length, 125 desired_password, desired_password_length, 126 enrolled_password_handle, enrolled_password_handle_length); 127 } else { 128 ret = soft_device->enroll(uid, 129 current_password_handle, current_password_handle_length, 130 current_password, current_password_length, 131 desired_password, desired_password_length, 132 enrolled_password_handle, enrolled_password_handle_length); 133 } 134 135 if (ret == 0) { 136 gatekeeper::password_handle_t *handle = 137 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle); 138 store_sid(uid, handle->user_id); 139 } 140 141 return ret; 142 } 143 144 virtual int verify(uint32_t uid, 145 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 146 const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) { 147 uint8_t *auth_token; 148 uint32_t auth_token_length; 149 return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length, 150 provided_password, provided_password_length, 151 &auth_token, &auth_token_length, request_reenroll); 152 } 153 154 virtual int verifyChallenge(uint32_t uid, uint64_t challenge, 155 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 156 const uint8_t *provided_password, uint32_t provided_password_length, 157 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) { 158 IPCThreadState* ipc = IPCThreadState::self(); 159 const int calling_pid = ipc->getCallingPid(); 160 const int calling_uid = ipc->getCallingUid(); 161 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 162 return PERMISSION_DENIED; 163 } 164 165 // can't verify if we're missing either param 166 if ((enrolled_password_handle_length | provided_password_length) == 0) 167 return -EINVAL; 168 169 int ret; 170 if (device) { 171 ret = device->verify(device, uid, challenge, 172 enrolled_password_handle, enrolled_password_handle_length, 173 provided_password, provided_password_length, auth_token, auth_token_length, 174 request_reenroll); 175 } else { 176 ret = soft_device->verify(uid, challenge, 177 enrolled_password_handle, enrolled_password_handle_length, 178 provided_password, provided_password_length, auth_token, auth_token_length, 179 request_reenroll); 180 } 181 182 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) { 183 // TODO: cache service? 184 sp<IServiceManager> sm = defaultServiceManager(); 185 sp<IBinder> binder = sm->getService(String16("android.security.keystore")); 186 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); 187 if (service != NULL) { 188 status_t ret = service->addAuthToken(*auth_token, *auth_token_length); 189 if (ret != ResponseCode::NO_ERROR) { 190 ALOGE("Falure sending auth token to KeyStore: %d", ret); 191 } 192 } else { 193 ALOGE("Unable to communicate with KeyStore"); 194 } 195 } 196 197 if (ret == 0) { 198 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>( 199 enrolled_password_handle)->user_id); 200 } 201 202 return ret; 203 } 204 205 virtual uint64_t getSecureUserId(uint32_t uid) { 206 return read_sid(uid); 207 } 208 209 virtual void clearSecureUserId(uint32_t uid) { 210 IPCThreadState* ipc = IPCThreadState::self(); 211 const int calling_pid = ipc->getCallingPid(); 212 const int calling_uid = ipc->getCallingUid(); 213 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 214 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid); 215 return; 216 } 217 clear_sid(uid); 218 } 219 220 virtual status_t dump(int fd, const Vector<String16> &) { 221 IPCThreadState* ipc = IPCThreadState::self(); 222 const int pid = ipc->getCallingPid(); 223 const int uid = ipc->getCallingUid(); 224 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) { 225 return PERMISSION_DENIED; 226 } 227 228 if (device == NULL) { 229 const char *result = "Device not available"; 230 write(fd, result, strlen(result) + 1); 231 } else { 232 const char *result = "OK"; 233 write(fd, result, strlen(result) + 1); 234 } 235 236 return NO_ERROR; 237 } 238 239private: 240 gatekeeper_device_t *device; 241 UniquePtr<SoftGateKeeperDevice> soft_device; 242 const hw_module_t *module; 243}; 244}// namespace android 245 246int main(int argc, char* argv[]) { 247 ALOGI("Starting gatekeeperd..."); 248 if (argc < 2) { 249 ALOGE("A directory must be specified!"); 250 return 1; 251 } 252 if (chdir(argv[1]) == -1) { 253 ALOGE("chdir: %s: %s", argv[1], strerror(errno)); 254 return 1; 255 } 256 257 android::sp<android::IServiceManager> sm = android::defaultServiceManager(); 258 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy(); 259 android::status_t ret = sm->addService( 260 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy); 261 if (ret != android::OK) { 262 ALOGE("Couldn't register binder service!"); 263 return -1; 264 } 265 266 /* 267 * We're the only thread in existence, so we're just going to process 268 * Binder transaction as a single-threaded program. 269 */ 270 android::IPCThreadState::self()->joinThreadPool(); 271 return 0; 272} 273