1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "keystore"
18
19 #include "permissions.h"
20
21 #include <cutils/sockets.h>
22 #include <log/log.h>
23 #include <private/android_filesystem_config.h>
24
25 #include <selinux/android.h>
26
27 #include "keystore_utils.h"
28
29 /* perm_labels associcated with keystore_key SELinux class verbs. */
30 const char* perm_labels[] = {
31 "get_state",
32 "get",
33 "insert",
34 "delete",
35 "exist",
36 "list",
37 "reset",
38 "password",
39 "lock",
40 "unlock",
41 "is_empty",
42 "sign",
43 "verify",
44 "grant",
45 "duplicate",
46 "clear_uid",
47 "add_auth",
48 "user_changed",
49 "gen_unique_id",
50 };
51
52 struct user_euid {
53 uid_t uid;
54 uid_t euid;
55 };
56
57 user_euid user_euids[] = {{AID_VPN, AID_SYSTEM},
58 {AID_WIFI, AID_SYSTEM},
59 {AID_ROOT, AID_SYSTEM},
60
61 #ifdef GRANT_ROOT_ALL_PERMISSIONS
62 // Allow VTS tests to act on behalf of the wifi user
63 {AID_WIFI, AID_ROOT}
64 #endif
65 };
66
67 struct user_perm {
68 uid_t uid;
69 perm_t perms;
70 };
71
72 static user_perm user_perms[] = {
73 {AID_SYSTEM, static_cast<perm_t>((uint32_t)(~0))},
74 {AID_VPN, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)},
75 {AID_WIFI, static_cast<perm_t>(P_GET | P_SIGN | P_VERIFY)},
76 {AID_BLUETOOTH, static_cast<perm_t>(P_GET | P_INSERT | P_DELETE | P_EXIST | P_SIGN | P_VERIFY)},
77
78 #ifdef GRANT_ROOT_ALL_PERMISSIONS
79 // Allow VTS tests running as root to perform all operations
80 {AID_ROOT, static_cast<perm_t>((uint32_t)(~0))},
81 #else
82 {AID_ROOT, static_cast<perm_t>(P_GET)},
83 #endif
84 };
85
86 static const perm_t DEFAULT_PERMS = static_cast<perm_t>(
87 P_GET_STATE | P_GET | P_INSERT | P_DELETE | P_EXIST | P_LIST | P_SIGN | P_VERIFY |
88 P_GEN_UNIQUE_ID /* Only privileged apps can do this, but enforcement is done by SELinux */);
89
90 struct audit_data {
91 pid_t pid;
92 uid_t uid;
93 const char* sid;
94 };
95
get_perm_label(perm_t perm)96 const char* get_perm_label(perm_t perm) {
97 unsigned int index = ffs(perm);
98 if (index > 0 && index <= (sizeof(perm_labels) / sizeof(perm_labels[0]))) {
99 return perm_labels[index - 1];
100 } else {
101 ALOGE("Keystore: Failed to retrieve permission label.\n");
102 abort();
103 }
104 }
105
audit_callback(void * data,security_class_t,char * buf,size_t len)106 static int audit_callback(void* data, security_class_t /* cls */, char* buf, size_t len) {
107 struct audit_data* ad = reinterpret_cast<struct audit_data*>(data);
108 if (!ad) {
109 ALOGE("No keystore audit data");
110 return 0;
111 }
112
113 const char* sid = ad->sid ? ad->sid : "N/A";
114 snprintf(buf, len, "pid=%d uid=%d sid=%s", ad->pid, ad->uid, sid);
115 return 0;
116 }
117
118 static char* tctx;
119
configure_selinux()120 int configure_selinux() {
121 union selinux_callback cb;
122 cb.func_audit = audit_callback;
123 selinux_set_callback(SELINUX_CB_AUDIT, cb);
124 cb.func_log = selinux_log_callback;
125 selinux_set_callback(SELINUX_CB_LOG, cb);
126 if (getcon(&tctx) != 0) {
127 ALOGE("SELinux: Could not acquire target context. Aborting keystore.\n");
128 return -1;
129 }
130
131 return 0;
132 }
133
keystore_selinux_check_access(uid_t uid,perm_t perm,pid_t spid,const char * ssid)134 static bool keystore_selinux_check_access(uid_t uid, perm_t perm, pid_t spid, const char* ssid) {
135 audit_data ad;
136 char* sctx = nullptr;
137 const char* selinux_class = "keystore_key";
138 const char* str_perm = get_perm_label(perm);
139
140 if (!str_perm) {
141 return false;
142 }
143
144 if (ssid == nullptr && getpidcon(spid, &sctx) != 0) {
145 ALOGE("SELinux: Failed to get source pid context.\n");
146 return false;
147 }
148
149 const char* use_sid = ssid ? ssid : sctx;
150
151 ad.pid = spid;
152 ad.uid = uid;
153 ad.sid = use_sid;
154
155 bool allowed = selinux_check_access(use_sid, tctx, selinux_class, str_perm,
156 reinterpret_cast<void*>(&ad)) == 0;
157 freecon(sctx);
158 return allowed;
159 }
160
161 /**
162 * Returns the UID that the callingUid should act as. This is here for
163 * legacy support of the WiFi and VPN systems and should be removed
164 * when WiFi can operate in its own namespace.
165 */
get_keystore_euid(uid_t uid)166 uid_t get_keystore_euid(uid_t uid) {
167 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
168 struct user_euid user = user_euids[i];
169 if (user.uid == uid) {
170 return user.euid;
171 }
172 }
173
174 return uid;
175 }
176
has_permission(uid_t uid,perm_t perm,pid_t spid,const char * sid)177 bool has_permission(uid_t uid, perm_t perm, pid_t spid, const char* sid) {
178 // All system users are equivalent for multi-user support.
179 if (get_app_id(uid) == AID_SYSTEM) {
180 uid = AID_SYSTEM;
181 }
182
183 if (sid == nullptr) {
184 android_errorWriteLog(0x534e4554, "121035042");
185 }
186
187 for (size_t i = 0; i < sizeof(user_perms) / sizeof(user_perms[0]); i++) {
188 struct user_perm user = user_perms[i];
189 if (user.uid == uid) {
190 return (user.perms & perm) && keystore_selinux_check_access(uid, perm, spid, sid);
191 }
192 }
193
194 return (DEFAULT_PERMS & perm) && keystore_selinux_check_access(uid, perm, spid, sid);
195 }
196
197 /**
198 * Returns true if the callingUid is allowed to interact in the targetUid's
199 * namespace.
200 */
is_granted_to(uid_t callingUid,uid_t targetUid)201 bool is_granted_to(uid_t callingUid, uid_t targetUid) {
202 if (callingUid == targetUid) {
203 return true;
204 }
205 for (size_t i = 0; i < sizeof(user_euids) / sizeof(user_euids[0]); i++) {
206 struct user_euid user = user_euids[i];
207 if (user.euid == callingUid && user.uid == targetUid) {
208 return true;
209 }
210 }
211
212 return false;
213 }
214