1/* Copyright 2008 The Android Open Source Project 2 */ 3 4#include <errno.h> 5#include <fcntl.h> 6#include <inttypes.h> 7#include <stdio.h> 8#include <stdlib.h> 9#include <string.h> 10 11#include <cutils/android_filesystem_config.h> 12#include <cutils/multiuser.h> 13 14#include <selinux/android.h> 15#include <selinux/avc.h> 16 17#include "binder.h" 18 19#ifdef VENDORSERVICEMANAGER 20#define LOG_TAG "VendorServiceManager" 21#else 22#define LOG_TAG "ServiceManager" 23#endif 24#include <log/log.h> 25 26struct audit_data { 27 pid_t pid; 28 uid_t uid; 29 const char *name; 30}; 31 32const char *str8(const uint16_t *x, size_t x_len) 33{ 34 static char buf[128]; 35 size_t max = 127; 36 char *p = buf; 37 38 if (x_len < max) { 39 max = x_len; 40 } 41 42 if (x) { 43 while ((max > 0) && (*x != '\0')) { 44 *p++ = *x++; 45 max--; 46 } 47 } 48 *p++ = 0; 49 return buf; 50} 51 52int str16eq(const uint16_t *a, const char *b) 53{ 54 while (*a && *b) 55 if (*a++ != *b++) return 0; 56 if (*a || *b) 57 return 0; 58 return 1; 59} 60 61static char *service_manager_context; 62static struct selabel_handle* sehandle; 63 64static bool check_mac_perms(pid_t spid, uid_t uid, const char *tctx, const char *perm, const char *name) 65{ 66 char *sctx = NULL; 67 const char *class = "service_manager"; 68 bool allowed; 69 struct audit_data ad; 70 71 if (getpidcon(spid, &sctx) < 0) { 72 ALOGE("SELinux: getpidcon(pid=%d) failed to retrieve pid context.\n", spid); 73 return false; 74 } 75 76 ad.pid = spid; 77 ad.uid = uid; 78 ad.name = name; 79 80 int result = selinux_check_access(sctx, tctx, class, perm, (void *) &ad); 81 allowed = (result == 0); 82 83 freecon(sctx); 84 return allowed; 85} 86 87static bool check_mac_perms_from_getcon(pid_t spid, uid_t uid, const char *perm) 88{ 89 return check_mac_perms(spid, uid, service_manager_context, perm, NULL); 90} 91 92static bool check_mac_perms_from_lookup(pid_t spid, uid_t uid, const char *perm, const char *name) 93{ 94 bool allowed; 95 char *tctx = NULL; 96 97 if (!sehandle) { 98 ALOGE("SELinux: Failed to find sehandle. Aborting service_manager.\n"); 99 abort(); 100 } 101 102 if (selabel_lookup(sehandle, &tctx, name, 0) != 0) { 103 ALOGE("SELinux: No match for %s in service_contexts.\n", name); 104 return false; 105 } 106 107 allowed = check_mac_perms(spid, uid, tctx, perm, name); 108 freecon(tctx); 109 return allowed; 110} 111 112static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid) 113{ 114 const char *perm = "add"; 115 116 if (multiuser_get_app_id(uid) >= AID_APP) { 117 return 0; /* Don't allow apps to register services */ 118 } 119 120 return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0; 121} 122 123static int svc_can_list(pid_t spid, uid_t uid) 124{ 125 const char *perm = "list"; 126 return check_mac_perms_from_getcon(spid, uid, perm) ? 1 : 0; 127} 128 129static int svc_can_find(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid) 130{ 131 const char *perm = "find"; 132 return check_mac_perms_from_lookup(spid, uid, perm, str8(name, name_len)) ? 1 : 0; 133} 134 135struct svcinfo 136{ 137 struct svcinfo *next; 138 uint32_t handle; 139 struct binder_death death; 140 int allow_isolated; 141 size_t len; 142 uint16_t name[0]; 143}; 144 145struct svcinfo *svclist = NULL; 146 147struct svcinfo *find_svc(const uint16_t *s16, size_t len) 148{ 149 struct svcinfo *si; 150 151 for (si = svclist; si; si = si->next) { 152 if ((len == si->len) && 153 !memcmp(s16, si->name, len * sizeof(uint16_t))) { 154 return si; 155 } 156 } 157 return NULL; 158} 159 160void svcinfo_death(struct binder_state *bs, void *ptr) 161{ 162 struct svcinfo *si = (struct svcinfo* ) ptr; 163 164 ALOGI("service '%s' died\n", str8(si->name, si->len)); 165 if (si->handle) { 166 binder_release(bs, si->handle); 167 si->handle = 0; 168 } 169} 170 171uint16_t svcmgr_id[] = { 172 'a','n','d','r','o','i','d','.','o','s','.', 173 'I','S','e','r','v','i','c','e','M','a','n','a','g','e','r' 174}; 175 176 177uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid) 178{ 179 struct svcinfo *si = find_svc(s, len); 180 181 if (!si || !si->handle) { 182 return 0; 183 } 184 185 if (!si->allow_isolated) { 186 // If this service doesn't allow access from isolated processes, 187 // then check the uid to see if it is isolated. 188 uid_t appid = uid % AID_USER; 189 if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) { 190 return 0; 191 } 192 } 193 194 if (!svc_can_find(s, len, spid, uid)) { 195 return 0; 196 } 197 198 return si->handle; 199} 200 201int do_add_service(struct binder_state *bs, 202 const uint16_t *s, size_t len, 203 uint32_t handle, uid_t uid, int allow_isolated, 204 pid_t spid) 205{ 206 struct svcinfo *si; 207 208 //ALOGI("add_service('%s',%x,%s) uid=%d\n", str8(s, len), handle, 209 // allow_isolated ? "allow_isolated" : "!allow_isolated", uid); 210 211 if (!handle || (len == 0) || (len > 127)) 212 return -1; 213 214 if (!svc_can_register(s, len, spid, uid)) { 215 ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n", 216 str8(s, len), handle, uid); 217 return -1; 218 } 219 220 si = find_svc(s, len); 221 if (si) { 222 if (si->handle) { 223 ALOGE("add_service('%s',%x) uid=%d - ALREADY REGISTERED, OVERRIDE\n", 224 str8(s, len), handle, uid); 225 svcinfo_death(bs, si); 226 } 227 si->handle = handle; 228 } else { 229 si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t)); 230 if (!si) { 231 ALOGE("add_service('%s',%x) uid=%d - OUT OF MEMORY\n", 232 str8(s, len), handle, uid); 233 return -1; 234 } 235 si->handle = handle; 236 si->len = len; 237 memcpy(si->name, s, (len + 1) * sizeof(uint16_t)); 238 si->name[len] = '\0'; 239 si->death.func = (void*) svcinfo_death; 240 si->death.ptr = si; 241 si->allow_isolated = allow_isolated; 242 si->next = svclist; 243 svclist = si; 244 } 245 246 binder_acquire(bs, handle); 247 binder_link_to_death(bs, handle, &si->death); 248 return 0; 249} 250 251int svcmgr_handler(struct binder_state *bs, 252 struct binder_transaction_data *txn, 253 struct binder_io *msg, 254 struct binder_io *reply) 255{ 256 struct svcinfo *si; 257 uint16_t *s; 258 size_t len; 259 uint32_t handle; 260 uint32_t strict_policy; 261 int allow_isolated; 262 263 //ALOGI("target=%p code=%d pid=%d uid=%d\n", 264 // (void*) txn->target.ptr, txn->code, txn->sender_pid, txn->sender_euid); 265 266 if (txn->target.ptr != BINDER_SERVICE_MANAGER) 267 return -1; 268 269 if (txn->code == PING_TRANSACTION) 270 return 0; 271 272 // Equivalent to Parcel::enforceInterface(), reading the RPC 273 // header with the strict mode policy mask and the interface name. 274 // Note that we ignore the strict_policy and don't propagate it 275 // further (since we do no outbound RPCs anyway). 276 strict_policy = bio_get_uint32(msg); 277 s = bio_get_string16(msg, &len); 278 if (s == NULL) { 279 return -1; 280 } 281 282 if ((len != (sizeof(svcmgr_id) / 2)) || 283 memcmp(svcmgr_id, s, sizeof(svcmgr_id))) { 284 fprintf(stderr,"invalid id %s\n", str8(s, len)); 285 return -1; 286 } 287 288 if (sehandle && selinux_status_updated() > 0) { 289#ifdef VENDORSERVICEMANAGER 290 struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle(); 291#else 292 struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle(); 293#endif 294 if (tmp_sehandle) { 295 selabel_close(sehandle); 296 sehandle = tmp_sehandle; 297 } 298 } 299 300 switch(txn->code) { 301 case SVC_MGR_GET_SERVICE: 302 case SVC_MGR_CHECK_SERVICE: 303 s = bio_get_string16(msg, &len); 304 if (s == NULL) { 305 return -1; 306 } 307 handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid); 308 if (!handle) 309 break; 310 bio_put_ref(reply, handle); 311 return 0; 312 313 case SVC_MGR_ADD_SERVICE: 314 s = bio_get_string16(msg, &len); 315 if (s == NULL) { 316 return -1; 317 } 318 handle = bio_get_ref(msg); 319 allow_isolated = bio_get_uint32(msg) ? 1 : 0; 320 if (do_add_service(bs, s, len, handle, txn->sender_euid, 321 allow_isolated, txn->sender_pid)) 322 return -1; 323 break; 324 325 case SVC_MGR_LIST_SERVICES: { 326 uint32_t n = bio_get_uint32(msg); 327 328 if (!svc_can_list(txn->sender_pid, txn->sender_euid)) { 329 ALOGE("list_service() uid=%d - PERMISSION DENIED\n", 330 txn->sender_euid); 331 return -1; 332 } 333 si = svclist; 334 while ((n-- > 0) && si) 335 si = si->next; 336 if (si) { 337 bio_put_string16(reply, si->name); 338 return 0; 339 } 340 return -1; 341 } 342 default: 343 ALOGE("unknown code %d\n", txn->code); 344 return -1; 345 } 346 347 bio_put_uint32(reply, 0); 348 return 0; 349} 350 351 352static int audit_callback(void *data, __unused security_class_t cls, char *buf, size_t len) 353{ 354 struct audit_data *ad = (struct audit_data *)data; 355 356 if (!ad || !ad->name) { 357 ALOGE("No service manager audit data"); 358 return 0; 359 } 360 361 snprintf(buf, len, "service=%s pid=%d uid=%d", ad->name, ad->pid, ad->uid); 362 return 0; 363} 364 365int main(int argc, char** argv) 366{ 367 struct binder_state *bs; 368 union selinux_callback cb; 369 char *driver; 370 371 if (argc > 1) { 372 driver = argv[1]; 373 } else { 374 driver = "/dev/binder"; 375 } 376 377 bs = binder_open(driver, 128*1024); 378 if (!bs) { 379#ifdef VENDORSERVICEMANAGER 380 ALOGW("failed to open binder driver %s\n", driver); 381 while (true) { 382 sleep(UINT_MAX); 383 } 384#else 385 ALOGE("failed to open binder driver %s\n", driver); 386#endif 387 return -1; 388 } 389 390 if (binder_become_context_manager(bs)) { 391 ALOGE("cannot become context manager (%s)\n", strerror(errno)); 392 return -1; 393 } 394 395 cb.func_audit = audit_callback; 396 selinux_set_callback(SELINUX_CB_AUDIT, cb); 397 cb.func_log = selinux_log_callback; 398 selinux_set_callback(SELINUX_CB_LOG, cb); 399 400#ifdef VENDORSERVICEMANAGER 401 sehandle = selinux_android_vendor_service_context_handle(); 402#else 403 sehandle = selinux_android_service_context_handle(); 404#endif 405 selinux_status_open(true); 406 407 if (sehandle == NULL) { 408 ALOGE("SELinux: Failed to acquire sehandle. Aborting.\n"); 409 abort(); 410 } 411 412 if (getcon(&service_manager_context) != 0) { 413 ALOGE("SELinux: Failed to acquire service_manager context. Aborting.\n"); 414 abort(); 415 } 416 417 418 binder_loop(bs, svcmgr_handler); 419 420 return 0; 421} 422