13daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
23daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Copyright (C) 2014 The Android Open Source Project
33daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
43daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Licensed under the Apache License, Version 2.0 (the "License");
53daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// you may not use this file except in compliance with the License.
63daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// You may obtain a copy of the License at
73daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
83daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//      http://www.apache.org/licenses/LICENSE-2.0
93daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
103daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// Unless required by applicable law or agreed to in writing, software
113daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// distributed under the License is distributed on an "AS IS" BASIS,
123daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
133daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// See the License for the specific language governing permissions and
143daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi// limitations under the License.
153daa5a0d71ba8facd8be9370df54c20c23be6d8dUtkarsh Sanghi//
166bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
17c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi#include <sysexits.h>
18c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
19b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn#include <memory>
206bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen#include <string>
216bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
226bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen#include <base/command_line.h>
23e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko#include <brillo/daemons/dbus_daemon.h>
24e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko#include <brillo/dbus/async_event_sequencer.h>
25e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko#include <brillo/minijail/minijail.h>
26e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko#include <brillo/syslog_logging.h>
27e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko#include <brillo/userdb_utils.h>
286bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
29b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn#include "attestation/common/dbus_interface.h"
30ab0cddda9971f97781fc9f6cbc76095ba7542abfAlex Vakulenko#include "attestation/server/attestation_service.h"
31b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn#include "attestation/server/dbus_service.h"
326bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
336f035c433ab3ed2992b2d187b35ef7715f80e9a6Alex Vakulenko#include <chromeos/libminijail.h>
34c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
35c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghinamespace {
36c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
37c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghiconst uid_t kRootUID = 0;
38c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghiconst char kAttestationUser[] = "attestation";
39c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghiconst char kAttestationGroup[] = "attestation";
40c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghiconst char kAttestationSeccompPath[] =
41c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi    "/usr/share/policy/attestationd-seccomp.policy";
42c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
43c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghivoid InitMinijailSandbox() {
44c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  uid_t attestation_uid;
45c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  gid_t attestation_gid;
464dc4629c415e7ca90ff146d7bb75b5646ecd8b17Darren Krahn  CHECK(brillo::userdb::GetUserInfo(kAttestationUser, &attestation_uid,
474dc4629c415e7ca90ff146d7bb75b5646ecd8b17Darren Krahn                                    &attestation_gid))
48c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi      << "Error getting attestation uid and gid.";
49c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  CHECK_EQ(getuid(), kRootUID) << "AttestationDaemon not initialized as root.";
50e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko  brillo::Minijail* minijail = brillo::Minijail::GetInstance();
51c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  struct minijail* jail = minijail->New();
52c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
53c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  minijail->DropRoot(jail, kAttestationUser, kAttestationGroup);
545316951199ff1e3c9be125ecd55726b31412178dDarren Krahn  minijail_inherit_usergroups(jail);
55c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  minijail->UseSeccompFilter(jail, kAttestationSeccompPath);
56c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  minijail->Enter(jail);
57c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  minijail->Destroy(jail);
58c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  CHECK_EQ(getuid(), attestation_uid)
59c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi      << "AttestationDaemon was not able to drop to attestation user.";
60c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  CHECK_EQ(getgid(), attestation_gid)
61c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi      << "AttestationDaemon was not able to drop to attestation group.";
62c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi}
63c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
64c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi}  // namespace
65c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
66e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenkousing brillo::dbus_utils::AsyncEventSequencer;
6745fc1234b4f1a1c1cfdd44774350a70b26b9b630Alex Vakulenko
68e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenkoclass AttestationDaemon : public brillo::DBusServiceDaemon {
69da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko public:
70da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko  AttestationDaemon()
71e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko      : brillo::DBusServiceDaemon(attestation::kAttestationServiceName) {
72b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn    attestation_service_.reset(new attestation::AttestationService);
73c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi    // Move initialize call down to OnInit
74b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn    CHECK(attestation_service_->Initialize());
75b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn  }
766bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
77da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko protected:
78c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  int OnInit() override {
79e270d8c69ab46b2ad2973d5b9395aae7c1f52bf6Alex Vakulenko    int result = brillo::DBusServiceDaemon::OnInit();
80c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi    if (result != EX_OK) {
81c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi      LOG(ERROR) << "Error starting attestation dbus daemon.";
82c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi      return result;
83c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi    }
84c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi    return EX_OK;
85c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  }
86c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi
87da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko  void RegisterDBusObjectsAsync(AsyncEventSequencer* sequencer) override {
884dc4629c415e7ca90ff146d7bb75b5646ecd8b17Darren Krahn    dbus_service_.reset(
894dc4629c415e7ca90ff146d7bb75b5646ecd8b17Darren Krahn        new attestation::DBusService(bus_, attestation_service_.get()));
90b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn    dbus_service_->Register(sequencer->GetHandler("Register() failed.", true));
91da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko  }
926bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
93da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko private:
94b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn  std::unique_ptr<attestation::AttestationInterface> attestation_service_;
95b91fd4923f411705be97fbc5c0ada37481c0cd8dDarren Krahn  std::unique_ptr<attestation::DBusService> dbus_service_;
966bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
97da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko  DISALLOW_COPY_AND_ASSIGN(AttestationDaemon);
98da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko};
996bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen
100da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenkoint main(int argc, char* argv[]) {
1013518664c4f5d8215aed7e0b92e6f4ea4a8902195Alex Vakulenko  base::CommandLine::Init(argc, argv);
1024dc4629c415e7ca90ff146d7bb75b5646ecd8b17Darren Krahn  base::CommandLine* cl = base::CommandLine::ForCurrentProcess();
103b3c9cdcef463064d7ac8f1e6b4b88e62433f9d5dUtkarsh Sanghi  int flags = brillo::kLogToSyslog;
104b3c9cdcef463064d7ac8f1e6b4b88e62433f9d5dUtkarsh Sanghi  if (cl->HasSwitch("log_to_stderr")) {
105b3c9cdcef463064d7ac8f1e6b4b88e62433f9d5dUtkarsh Sanghi    flags |= brillo::kLogToStderr;
106b3c9cdcef463064d7ac8f1e6b4b88e62433f9d5dUtkarsh Sanghi  }
107b3c9cdcef463064d7ac8f1e6b4b88e62433f9d5dUtkarsh Sanghi  brillo::InitLog(flags);
108da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko  AttestationDaemon daemon;
109c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  LOG(INFO) << "Attestation Daemon Started.";
110c4c764b59281d9299ea22a91b4be0d807f4f11c8Utkarsh Sanghi  InitMinijailSandbox();
111da5dd42c581f324bcfa96b0e4f3513cc6e331d67Alex Vakulenko  return daemon.Run();
1126bead48129845a2bc0d6ff347f3d7e232004d59Nam T. Nguyen}
113