1/* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_TAG "keystore" 18 19#include "permissions.h" 20 21#include <cutils/log.h> 22#include <cutils/sockets.h> 23#include <private/android_filesystem_config.h> 24 25#include <selinux/android.h> 26 27#include "keystore_utils.h" 28 29/* perm_labels associcated with keystore_key SELinux class verbs. */ 30const char* perm_labels[] = { 31 "get_state", 32 "get", 33 "insert", 34 "delete", 35 "exist", 36 "list", 37 "reset", 38 "password", 39 "lock", 40 "unlock", 41 "is_empty", 42 "sign", 43 "verify", 44 "grant", 45 "duplicate", 46 "clear_uid", 47 "add_auth", 48 "user_changed", 49 "gen_unique_id", 50}; 51 52struct user_euid { 53 uid_t uid; 54 uid_t euid; 55}; 56 57user_euid user_euids[] = { 58 {AID_VPN, AID_SYSTEM}, {AID_WIFI, AID_SYSTEM}, {AID_ROOT, AID_SYSTEM}, 59 {AID_WIFI, AID_KEYSTORE}, {AID_KEYSTORE, AID_WIFI} 60}; 61 62struct user_perm { 63 uid_t uid; 64 perm_t perms; 65}; 66 67static user_perm user_perms[] = { 68 {AID_SYSTEM, static_cast<perm_t>((uint32_t)(~0))}, 69 {AID_VPN, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)}, 70 {AID_WIFI, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)}, 71 {AID_ROOT, static_cast<perm_t>(P_GET)}, 72}; 73 74static const perm_t DEFAULT_PERMS = static_cast<perm_t>( 75 P_GET_STATE | P_GET | P_INSERT | P_DELETE | P_EXIST | P_LIST | P_SIGN | P_VERIFY | 76 P_GEN_UNIQUE_ID /* Only privileged apps can do this, but enforcement is done by SELinux */); 77 78struct audit_data { 79 pid_t pid; 80 uid_t uid; 81}; 82 83const char* get_perm_label(perm_t perm) { 84 unsigned int index = ffs(perm); 85 if (index > 0 && index <= (sizeof(perm_labels) / sizeof(perm_labels[0]))) { 86 return perm_labels[index - 1]; 87 } else { 88 ALOGE("Keystore: Failed to retrieve permission label.\n"); 89 abort(); 90 } 91} 92 93static int audit_callback(void* data, security_class_t /* cls */, char* buf, size_t len) { 94 struct audit_data* ad = reinterpret_cast<struct audit_data*>(data); 95 if (!ad) { 96 ALOGE("No keystore audit data"); 97 return 0; 98 } 99 100 snprintf(buf, len, "pid=%d uid=%d", ad->pid, ad->uid); 101 return 0; 102} 103 104static char* tctx; 105 106int configure_selinux() { 107 union selinux_callback cb; 108 cb.func_audit = audit_callback; 109 selinux_set_callback(SELINUX_CB_AUDIT, cb); 110 cb.func_log = selinux_log_callback; 111 selinux_set_callback(SELINUX_CB_LOG, cb); 112 if (getcon(&tctx) != 0) { 113 ALOGE("SELinux: Could not acquire target context. Aborting keystore.\n"); 114 return -1; 115 } 116 117 return 0; 118} 119 120static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid) { 121 audit_data ad; 122 char* sctx = NULL; 123 const char* selinux_class = "keystore_key"; 124 const char* str_perm = get_perm_label(perm); 125 126 if (!str_perm) { 127 return false; 128 } 129 130 if (getpidcon(spid, &sctx) != 0) { 131 ALOGE("SELinux: Failed to get source pid context.\n"); 132 return false; 133 } 134 135 ad.pid = spid; 136 ad.uid = uid; 137 138 bool allowed = selinux_check_access(sctx, tctx, selinux_class, str_perm, 139 reinterpret_cast<void*>(&ad)) == 0; 140 freecon(sctx); 141 return allowed; 142} 143 144/** 145 * Returns the UID that the callingUid should act as. This is here for 146 * legacy support of the WiFi and VPN systems and should be removed 147 * when WiFi can operate in its own namespace. 148 */ 149uid_t get_keystore_euid(uid_t uid) { 150 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) { 151 struct user_euid user = user_euids[i]; 152 if (user.uid == uid) { 153 return user.euid; 154 } 155 } 156 157 return uid; 158} 159 160bool has_permission(uid_t uid, perm_t perm, pid_t spid) { 161 // All system users are equivalent for multi-user support. 162 if (get_app_id(uid) == AID_SYSTEM) { 163 uid = AID_SYSTEM; 164 } 165 166 for (size_t i = 0; i < sizeof(user_perms) / sizeof(user_perms[0]); i++) { 167 struct user_perm user = user_perms[i]; 168 if (user.uid == uid) { 169 return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid); 170 } 171 } 172 173 return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid); 174} 175 176/** 177 * Returns true if the callingUid is allowed to interact in the targetUid's 178 * namespace. 179 */ 180bool is_granted_to(uid_t callingUid, uid_t targetUid) { 181 if (callingUid == targetUid) { 182 return true; 183 } 184 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) { 185 struct user_euid user = user_euids[i]; 186 if (user.euid == callingUid && user.uid == targetUid) { 187 return true; 188 } 189 } 190 191 return false; 192} 193