gatekeeperd.cpp revision fef908e5a50a4026bb94edabb8f500a959b9ed0e
1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "gatekeeperd"
18
19#include "IGateKeeperService.h"
20
21#include <errno.h>
22#include <stdint.h>
23#include <inttypes.h>
24#include <fcntl.h>
25#include <unistd.h>
26
27#include <cutils/log.h>
28#include <utils/Log.h>
29
30#include <binder/IPCThreadState.h>
31#include <binder/IServiceManager.h>
32#include <binder/PermissionCache.h>
33#include <utils/String16.h>
34#include <utils/Log.h>
35
36#include <keystore/IKeystoreService.h>
37#include <keystore/keystore.h> // For error code
38#include <gatekeeper/password_handle.h> // for password_handle_t
39#include <hardware/gatekeeper.h>
40#include <hardware/hw_auth_token.h>
41
42#include "SoftGateKeeperDevice.h"
43
44namespace android {
45
46static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
47static const String16 DUMP_PERMISSION("android.permission.DUMP");
48
49class GateKeeperProxy : public BnGateKeeperService {
50public:
51    GateKeeperProxy() {
52        int ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &module);
53        device = NULL;
54
55        if (ret < 0) {
56            ALOGW("falling back to software GateKeeper");
57            soft_device.reset(new SoftGateKeeperDevice());
58        } else {
59            ret = gatekeeper_open(module, &device);
60            if (ret < 0)
61                LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to open GateKeeper HAL");
62        }
63
64        if (mark_cold_boot()) {
65            ALOGI("cold boot: clearing state");
66            if (device != NULL && device->delete_all_users != NULL) {
67                device->delete_all_users(device);
68            }
69        }
70    }
71
72    virtual ~GateKeeperProxy() {
73        if (device) gatekeeper_close(device);
74    }
75
76    void store_sid(uint32_t uid, uint64_t sid) {
77        char filename[21];
78        sprintf(filename, "%u", uid);
79        int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
80        if (fd < 0) {
81            ALOGE("could not open file: %s: %s", filename, strerror(errno));
82            return;
83        }
84        write(fd, &sid, sizeof(sid));
85        close(fd);
86    }
87
88    bool mark_cold_boot() {
89        const char *filename = ".coldboot";
90        if (access(filename, F_OK) == -1) {
91            int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
92            if (fd < 0) {
93                ALOGE("could not open file: %s : %s", filename, strerror(errno));
94                return false;
95            }
96            close(fd);
97            return true;
98        }
99        return false;
100    }
101
102    void maybe_store_sid(uint32_t uid, uint64_t sid) {
103        char filename[21];
104        sprintf(filename, "%u", uid);
105        if (access(filename, F_OK) == -1) {
106            store_sid(uid, sid);
107        }
108    }
109
110    uint64_t read_sid(uint32_t uid) {
111        char filename[21];
112        uint64_t sid;
113        sprintf(filename, "%u", uid);
114        int fd = open(filename, O_RDONLY);
115        if (fd < 0) return 0;
116        read(fd, &sid, sizeof(sid));
117        return sid;
118    }
119
120    void clear_sid(uint32_t uid) {
121        char filename[21];
122        sprintf(filename, "%u", uid);
123        if (remove(filename) < 0) {
124            ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
125            store_sid(uid, 0);
126        }
127    }
128
129    virtual int enroll(uint32_t uid,
130            const uint8_t *current_password_handle, uint32_t current_password_handle_length,
131            const uint8_t *current_password, uint32_t current_password_length,
132            const uint8_t *desired_password, uint32_t desired_password_length,
133            uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
134        IPCThreadState* ipc = IPCThreadState::self();
135        const int calling_pid = ipc->getCallingPid();
136        const int calling_uid = ipc->getCallingUid();
137        if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
138            return PERMISSION_DENIED;
139        }
140
141        // need a desired password to enroll
142        if (desired_password_length == 0) return -EINVAL;
143
144        int ret;
145        if (device) {
146            const gatekeeper::password_handle_t *handle =
147                    reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
148
149            if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
150                // handle is being re-enrolled from a software version. HAL probably won't accept
151                // the handle as valid, so we nullify it and enroll from scratch
152                current_password_handle = NULL;
153                current_password_handle_length = 0;
154                current_password = NULL;
155                current_password_length = 0;
156            }
157
158            ret = device->enroll(device, uid, current_password_handle, current_password_handle_length,
159                    current_password, current_password_length,
160                    desired_password, desired_password_length,
161                    enrolled_password_handle, enrolled_password_handle_length);
162        } else {
163            ret = soft_device->enroll(uid,
164                    current_password_handle, current_password_handle_length,
165                    current_password, current_password_length,
166                    desired_password, desired_password_length,
167                    enrolled_password_handle, enrolled_password_handle_length);
168        }
169
170        if (ret == 0) {
171            gatekeeper::password_handle_t *handle =
172                    reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
173            store_sid(uid, handle->user_id);
174            bool rr;
175
176            // immediately verify this password so we don't ask the user to enter it again
177            // if they just created it.
178            verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
179                    desired_password_length, &rr);
180        }
181
182        return ret;
183    }
184
185    virtual int verify(uint32_t uid,
186            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
187            const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) {
188        uint8_t *auth_token;
189        uint32_t auth_token_length;
190        return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
191                provided_password, provided_password_length,
192                &auth_token, &auth_token_length, request_reenroll);
193    }
194
195    virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
196            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
197            const uint8_t *provided_password, uint32_t provided_password_length,
198            uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
199        IPCThreadState* ipc = IPCThreadState::self();
200        const int calling_pid = ipc->getCallingPid();
201        const int calling_uid = ipc->getCallingUid();
202        if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
203            return PERMISSION_DENIED;
204        }
205
206        // can't verify if we're missing either param
207        if ((enrolled_password_handle_length | provided_password_length) == 0)
208            return -EINVAL;
209
210        int ret;
211        if (device) {
212            const gatekeeper::password_handle_t *handle =
213                    reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
214            // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
215            // a HAL if there was none before
216            if (handle->version == 0 || handle->hardware_backed) {
217                ret = device->verify(device, uid, challenge,
218                    enrolled_password_handle, enrolled_password_handle_length,
219                    provided_password, provided_password_length, auth_token, auth_token_length,
220                    request_reenroll);
221            } else {
222                // upgrade scenario, a HAL has been added to this device where there was none before
223                SoftGateKeeperDevice soft_dev;
224                ret = soft_dev.verify(uid, challenge,
225                    enrolled_password_handle, enrolled_password_handle_length,
226                    provided_password, provided_password_length, auth_token, auth_token_length,
227                    request_reenroll);
228
229                if (ret == 0) {
230                    // success! re-enroll with HAL
231                    *request_reenroll = true;
232                }
233            }
234        } else {
235            ret = soft_device->verify(uid, challenge,
236                enrolled_password_handle, enrolled_password_handle_length,
237                provided_password, provided_password_length, auth_token, auth_token_length,
238                request_reenroll);
239        }
240
241        if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
242            // TODO: cache service?
243            sp<IServiceManager> sm = defaultServiceManager();
244            sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
245            sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
246            if (service != NULL) {
247                status_t ret = service->addAuthToken(*auth_token, *auth_token_length);
248                if (ret != ResponseCode::NO_ERROR) {
249                    ALOGE("Falure sending auth token to KeyStore: %d", ret);
250                }
251            } else {
252                ALOGE("Unable to communicate with KeyStore");
253            }
254        }
255
256        if (ret == 0) {
257            maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
258                        enrolled_password_handle)->user_id);
259        }
260
261        return ret;
262    }
263
264    virtual uint64_t getSecureUserId(uint32_t uid) {
265        return read_sid(uid);
266    }
267
268    virtual void clearSecureUserId(uint32_t uid) {
269        IPCThreadState* ipc = IPCThreadState::self();
270        const int calling_pid = ipc->getCallingPid();
271        const int calling_uid = ipc->getCallingUid();
272        if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
273            ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
274            return;
275        }
276        clear_sid(uid);
277
278        if (device != NULL && device->delete_user != NULL) {
279            device->delete_user(device, uid);
280        }
281    }
282
283    virtual status_t dump(int fd, const Vector<String16> &) {
284        IPCThreadState* ipc = IPCThreadState::self();
285        const int pid = ipc->getCallingPid();
286        const int uid = ipc->getCallingUid();
287        if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
288            return PERMISSION_DENIED;
289        }
290
291        if (device == NULL) {
292            const char *result = "Device not available";
293            write(fd, result, strlen(result) + 1);
294        } else {
295            const char *result = "OK";
296            write(fd, result, strlen(result) + 1);
297        }
298
299        return NO_ERROR;
300    }
301
302private:
303    gatekeeper_device_t *device;
304    UniquePtr<SoftGateKeeperDevice> soft_device;
305    const hw_module_t *module;
306};
307}// namespace android
308
309int main(int argc, char* argv[]) {
310    ALOGI("Starting gatekeeperd...");
311    if (argc < 2) {
312        ALOGE("A directory must be specified!");
313        return 1;
314    }
315    if (chdir(argv[1]) == -1) {
316        ALOGE("chdir: %s: %s", argv[1], strerror(errno));
317        return 1;
318    }
319
320    android::sp<android::IServiceManager> sm = android::defaultServiceManager();
321    android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
322    android::status_t ret = sm->addService(
323            android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
324    if (ret != android::OK) {
325        ALOGE("Couldn't register binder service!");
326        return -1;
327    }
328
329    /*
330     * We're the only thread in existence, so we're just going to process
331     * Binder transaction as a single-threaded program.
332     */
333    android::IPCThreadState::self()->joinThreadPool();
334    return 0;
335}
336