1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "DrmManagerService(Native)"
19 #include <utils/Log.h>
20
21 #include <private/android_filesystem_config.h>
22 #include <media/MemoryLeakTrackUtil.h>
23
24 #include <errno.h>
25 #include <utils/threads.h>
26 #include <binder/IServiceManager.h>
27 #include <binder/IPCThreadState.h>
28 #include <sys/stat.h>
29 #include "DrmManagerService.h"
30 #include "DrmManager.h"
31
32 #include <selinux/android.h>
33
34 using namespace android;
35
36 static int selinux_enabled;
37 static char *drmserver_context;
38 static Vector<uid_t> trustedUids;
39
40 const char *const DrmManagerService::drm_perm_labels[] = {
41 "consumeRights",
42 "setPlaybackStatus",
43 "openDecryptSession",
44 "closeDecryptSession",
45 "initializeDecryptUnit",
46 "decrypt",
47 "finalizeDecryptUnit",
48 "pread"
49 };
50
get_perm_label(drm_perm_t perm)51 const char *DrmManagerService::get_perm_label(drm_perm_t perm) {
52 unsigned int index = perm;
53
54 if (index >= (sizeof(drm_perm_labels) / sizeof(drm_perm_labels[0]))) {
55 ALOGE("SELinux: Failed to retrieve permission label(perm=%d).\n", perm);
56 abort();
57 }
58 return drm_perm_labels[index];
59 }
60
selinuxIsProtectedCallAllowed(pid_t spid,const char * ssid,drm_perm_t perm)61 bool DrmManagerService::selinuxIsProtectedCallAllowed(pid_t spid, const char* ssid, drm_perm_t perm) {
62 if (selinux_enabled <= 0) {
63 return true;
64 }
65
66 char *sctx = NULL;
67 const char *selinux_class = "drmservice";
68 const char *str_perm = get_perm_label(perm);
69
70 if (ssid == NULL) {
71 android_errorWriteLog(0x534e4554, "121035042");
72
73 if (getpidcon(spid, &sctx) != 0) {
74 ALOGE("SELinux: getpidcon(pid=%d) failed.\n", spid);
75 return false;
76 }
77 }
78
79 bool allowed = (selinux_check_access(ssid ? ssid : sctx, drmserver_context,
80 selinux_class, str_perm, NULL) == 0);
81 freecon(sctx);
82
83 return allowed;
84 }
85
isProtectedCallAllowed(drm_perm_t perm)86 bool DrmManagerService::isProtectedCallAllowed(drm_perm_t perm) {
87 // TODO
88 // Following implementation is just for reference.
89 // Each OEM manufacturer should implement/replace with their own solutions.
90 IPCThreadState* ipcState = IPCThreadState::self();
91 uid_t uid = ipcState->getCallingUid();
92 pid_t spid = ipcState->getCallingPid();
93 const char* ssid = ipcState->getCallingSid();
94
95 for (unsigned int i = 0; i < trustedUids.size(); ++i) {
96 if (trustedUids[i] == uid) {
97 return selinuxIsProtectedCallAllowed(spid, ssid, perm);
98 }
99 }
100 return false;
101 }
102
instantiate()103 void DrmManagerService::instantiate() {
104 ALOGV("instantiate");
105 sp<DrmManagerService> service = new DrmManagerService();
106 service->setRequestingSid(true);
107 defaultServiceManager()->addService(String16("drm.drmManager"), service);
108
109 if (0 >= trustedUids.size()) {
110 // TODO
111 // Following implementation is just for reference.
112 // Each OEM manufacturer should implement/replace with their own solutions.
113
114 // Add trusted uids here
115 trustedUids.push(AID_MEDIA);
116 }
117
118 selinux_enabled = is_selinux_enabled();
119 if (selinux_enabled > 0 && getcon(&drmserver_context) != 0) {
120 ALOGE("SELinux: DrmManagerService failed to get context for DrmManagerService. Aborting.\n");
121 abort();
122 }
123
124 union selinux_callback cb;
125 cb.func_log = selinux_log_callback;
126 selinux_set_callback(SELINUX_CB_LOG, cb);
127 }
128
DrmManagerService()129 DrmManagerService::DrmManagerService() :
130 mDrmManager(NULL) {
131 ALOGV("created");
132 mDrmManager = new DrmManager();
133 mDrmManager->loadPlugIns();
134 }
135
~DrmManagerService()136 DrmManagerService::~DrmManagerService() {
137 ALOGV("Destroyed");
138 mDrmManager->unloadPlugIns();
139 delete mDrmManager; mDrmManager = NULL;
140 }
141
addUniqueId(bool isNative)142 int DrmManagerService::addUniqueId(bool isNative) {
143 return mDrmManager->addUniqueId(isNative);
144 }
145
removeUniqueId(int uniqueId)146 void DrmManagerService::removeUniqueId(int uniqueId) {
147 mDrmManager->removeUniqueId(uniqueId);
148 }
149
addClient(int uniqueId)150 void DrmManagerService::addClient(int uniqueId) {
151 mDrmManager->addClient(uniqueId);
152 }
153
removeClient(int uniqueId)154 void DrmManagerService::removeClient(int uniqueId) {
155 mDrmManager->removeClient(uniqueId);
156 }
157
setDrmServiceListener(int uniqueId,const sp<IDrmServiceListener> & drmServiceListener)158 status_t DrmManagerService::setDrmServiceListener(
159 int uniqueId, const sp<IDrmServiceListener>& drmServiceListener) {
160 ALOGV("Entering setDrmServiceListener");
161 mDrmManager->setDrmServiceListener(uniqueId, drmServiceListener);
162 return DRM_NO_ERROR;
163 }
164
getConstraints(int uniqueId,const String8 * path,const int action)165 DrmConstraints* DrmManagerService::getConstraints(
166 int uniqueId, const String8* path, const int action) {
167 ALOGV("Entering getConstraints from content");
168 return mDrmManager->getConstraints(uniqueId, path, action);
169 }
170
getMetadata(int uniqueId,const String8 * path)171 DrmMetadata* DrmManagerService::getMetadata(int uniqueId, const String8* path) {
172 ALOGV("Entering getMetadata from content");
173 return mDrmManager->getMetadata(uniqueId, path);
174 }
175
canHandle(int uniqueId,const String8 & path,const String8 & mimeType)176 bool DrmManagerService::canHandle(int uniqueId, const String8& path, const String8& mimeType) {
177 ALOGV("Entering canHandle");
178 return mDrmManager->canHandle(uniqueId, path, mimeType);
179 }
180
processDrmInfo(int uniqueId,const DrmInfo * drmInfo)181 DrmInfoStatus* DrmManagerService::processDrmInfo(int uniqueId, const DrmInfo* drmInfo) {
182 ALOGV("Entering processDrmInfo");
183 return mDrmManager->processDrmInfo(uniqueId, drmInfo);
184 }
185
acquireDrmInfo(int uniqueId,const DrmInfoRequest * drmInfoRequest)186 DrmInfo* DrmManagerService::acquireDrmInfo(int uniqueId, const DrmInfoRequest* drmInfoRequest) {
187 ALOGV("Entering acquireDrmInfo");
188 return mDrmManager->acquireDrmInfo(uniqueId, drmInfoRequest);
189 }
190
saveRights(int uniqueId,const DrmRights & drmRights,const String8 & rightsPath,const String8 & contentPath)191 status_t DrmManagerService::saveRights(
192 int uniqueId, const DrmRights& drmRights,
193 const String8& rightsPath, const String8& contentPath) {
194 ALOGV("Entering saveRights");
195 return mDrmManager->saveRights(uniqueId, drmRights, rightsPath, contentPath);
196 }
197
getOriginalMimeType(int uniqueId,const String8 & path,int fd)198 String8 DrmManagerService::getOriginalMimeType(int uniqueId, const String8& path, int fd) {
199 ALOGV("Entering getOriginalMimeType");
200 return mDrmManager->getOriginalMimeType(uniqueId, path, fd);
201 }
202
getDrmObjectType(int uniqueId,const String8 & path,const String8 & mimeType)203 int DrmManagerService::getDrmObjectType(
204 int uniqueId, const String8& path, const String8& mimeType) {
205 ALOGV("Entering getDrmObjectType");
206 return mDrmManager->getDrmObjectType(uniqueId, path, mimeType);
207 }
208
checkRightsStatus(int uniqueId,const String8 & path,int action)209 int DrmManagerService::checkRightsStatus(
210 int uniqueId, const String8& path, int action) {
211 ALOGV("Entering checkRightsStatus");
212 return mDrmManager->checkRightsStatus(uniqueId, path, action);
213 }
214
consumeRights(int uniqueId,sp<DecryptHandle> & decryptHandle,int action,bool reserve)215 status_t DrmManagerService::consumeRights(
216 int uniqueId, sp<DecryptHandle>& decryptHandle, int action, bool reserve) {
217 ALOGV("Entering consumeRights");
218 if (!isProtectedCallAllowed(CONSUME_RIGHTS)) {
219 return DRM_ERROR_NO_PERMISSION;
220 }
221 return mDrmManager->consumeRights(uniqueId, decryptHandle, action, reserve);
222 }
223
setPlaybackStatus(int uniqueId,sp<DecryptHandle> & decryptHandle,int playbackStatus,int64_t position)224 status_t DrmManagerService::setPlaybackStatus(
225 int uniqueId, sp<DecryptHandle>& decryptHandle, int playbackStatus, int64_t position) {
226 ALOGV("Entering setPlaybackStatus");
227 if (!isProtectedCallAllowed(SET_PLAYBACK_STATUS)) {
228 return DRM_ERROR_NO_PERMISSION;
229 }
230 return mDrmManager->setPlaybackStatus(uniqueId, decryptHandle, playbackStatus, position);
231 }
232
validateAction(int uniqueId,const String8 & path,int action,const ActionDescription & description)233 bool DrmManagerService::validateAction(
234 int uniqueId, const String8& path,
235 int action, const ActionDescription& description) {
236 ALOGV("Entering validateAction");
237 return mDrmManager->validateAction(uniqueId, path, action, description);
238 }
239
removeRights(int uniqueId,const String8 & path)240 status_t DrmManagerService::removeRights(int uniqueId, const String8& path) {
241 ALOGV("Entering removeRights");
242 return mDrmManager->removeRights(uniqueId, path);
243 }
244
removeAllRights(int uniqueId)245 status_t DrmManagerService::removeAllRights(int uniqueId) {
246 ALOGV("Entering removeAllRights");
247 return mDrmManager->removeAllRights(uniqueId);
248 }
249
openConvertSession(int uniqueId,const String8 & mimeType)250 int DrmManagerService::openConvertSession(int uniqueId, const String8& mimeType) {
251 ALOGV("Entering openConvertSession");
252 return mDrmManager->openConvertSession(uniqueId, mimeType);
253 }
254
convertData(int uniqueId,int convertId,const DrmBuffer * inputData)255 DrmConvertedStatus* DrmManagerService::convertData(
256 int uniqueId, int convertId, const DrmBuffer* inputData) {
257 ALOGV("Entering convertData");
258 return mDrmManager->convertData(uniqueId, convertId, inputData);
259 }
260
closeConvertSession(int uniqueId,int convertId)261 DrmConvertedStatus* DrmManagerService::closeConvertSession(int uniqueId, int convertId) {
262 ALOGV("Entering closeConvertSession");
263 return mDrmManager->closeConvertSession(uniqueId, convertId);
264 }
265
getAllSupportInfo(int uniqueId,int * length,DrmSupportInfo ** drmSupportInfoArray)266 status_t DrmManagerService::getAllSupportInfo(
267 int uniqueId, int* length, DrmSupportInfo** drmSupportInfoArray) {
268 ALOGV("Entering getAllSupportInfo");
269 return mDrmManager->getAllSupportInfo(uniqueId, length, drmSupportInfoArray);
270 }
271
openDecryptSession(int uniqueId,int fd,off64_t offset,off64_t length,const char * mime)272 sp<DecryptHandle> DrmManagerService::openDecryptSession(
273 int uniqueId, int fd, off64_t offset, off64_t length, const char* mime) {
274 ALOGV("Entering DrmManagerService::openDecryptSession");
275 if (isProtectedCallAllowed(OPEN_DECRYPT_SESSION)) {
276 return mDrmManager->openDecryptSession(uniqueId, fd, offset, length, mime);
277 }
278
279 return NULL;
280 }
281
openDecryptSession(int uniqueId,const char * uri,const char * mime)282 sp<DecryptHandle> DrmManagerService::openDecryptSession(
283 int uniqueId, const char* uri, const char* mime) {
284 ALOGV("Entering DrmManagerService::openDecryptSession with uri");
285 if (isProtectedCallAllowed(OPEN_DECRYPT_SESSION)) {
286 return mDrmManager->openDecryptSession(uniqueId, uri, mime);
287 }
288
289 return NULL;
290 }
291
openDecryptSession(int uniqueId,const DrmBuffer & buf,const String8 & mimeType)292 sp<DecryptHandle> DrmManagerService::openDecryptSession(
293 int uniqueId, const DrmBuffer& buf, const String8& mimeType) {
294 ALOGV("Entering DrmManagerService::openDecryptSession for streaming");
295 if (isProtectedCallAllowed(OPEN_DECRYPT_SESSION)) {
296 return mDrmManager->openDecryptSession(uniqueId, buf, mimeType);
297 }
298
299 return NULL;
300 }
301
closeDecryptSession(int uniqueId,sp<DecryptHandle> & decryptHandle)302 status_t DrmManagerService::closeDecryptSession(int uniqueId, sp<DecryptHandle>& decryptHandle) {
303 ALOGV("Entering closeDecryptSession");
304 if (!isProtectedCallAllowed(CLOSE_DECRYPT_SESSION)) {
305 return DRM_ERROR_NO_PERMISSION;
306 }
307 return mDrmManager->closeDecryptSession(uniqueId, decryptHandle);
308 }
309
initializeDecryptUnit(int uniqueId,sp<DecryptHandle> & decryptHandle,int decryptUnitId,const DrmBuffer * headerInfo)310 status_t DrmManagerService::initializeDecryptUnit(int uniqueId, sp<DecryptHandle>& decryptHandle,
311 int decryptUnitId, const DrmBuffer* headerInfo) {
312 ALOGV("Entering initializeDecryptUnit");
313 if (!isProtectedCallAllowed(INITIALIZE_DECRYPT_UNIT)) {
314 return DRM_ERROR_NO_PERMISSION;
315 }
316 return mDrmManager->initializeDecryptUnit(uniqueId,decryptHandle, decryptUnitId, headerInfo);
317 }
318
decrypt(int uniqueId,sp<DecryptHandle> & decryptHandle,int decryptUnitId,const DrmBuffer * encBuffer,DrmBuffer ** decBuffer,DrmBuffer * IV)319 status_t DrmManagerService::decrypt(
320 int uniqueId, sp<DecryptHandle>& decryptHandle, int decryptUnitId,
321 const DrmBuffer* encBuffer, DrmBuffer** decBuffer, DrmBuffer* IV) {
322 ALOGV("Entering decrypt");
323 if (!isProtectedCallAllowed(DECRYPT)) {
324 return DRM_ERROR_NO_PERMISSION;
325 }
326 return mDrmManager->decrypt(uniqueId, decryptHandle, decryptUnitId, encBuffer, decBuffer, IV);
327 }
328
finalizeDecryptUnit(int uniqueId,sp<DecryptHandle> & decryptHandle,int decryptUnitId)329 status_t DrmManagerService::finalizeDecryptUnit(
330 int uniqueId, sp<DecryptHandle>& decryptHandle, int decryptUnitId) {
331 ALOGV("Entering finalizeDecryptUnit");
332 if (!isProtectedCallAllowed(FINALIZE_DECRYPT_UNIT)) {
333 return DRM_ERROR_NO_PERMISSION;
334 }
335 return mDrmManager->finalizeDecryptUnit(uniqueId, decryptHandle, decryptUnitId);
336 }
337
pread(int uniqueId,sp<DecryptHandle> & decryptHandle,void * buffer,ssize_t numBytes,off64_t offset)338 ssize_t DrmManagerService::pread(int uniqueId, sp<DecryptHandle>& decryptHandle,
339 void* buffer, ssize_t numBytes, off64_t offset) {
340 ALOGV("Entering pread");
341 if (!isProtectedCallAllowed(PREAD)) {
342 return DRM_ERROR_NO_PERMISSION;
343 }
344 return mDrmManager->pread(uniqueId, decryptHandle, buffer, numBytes, offset);
345 }
346
dump(int fd,const Vector<String16> & args)347 status_t DrmManagerService::dump(int fd, const Vector<String16>& args)
348 {
349 const size_t SIZE = 256;
350 char buffer[SIZE];
351 String8 result;
352 if (checkCallingPermission(String16("android.permission.DUMP")) == false) {
353 snprintf(buffer, SIZE, "Permission Denial: "
354 "can't dump DrmManagerService from pid=%d, uid=%d\n",
355 IPCThreadState::self()->getCallingPid(),
356 IPCThreadState::self()->getCallingUid());
357 result.append(buffer);
358 } else {
359 #if DRM_MEMORY_LEAK_TRACK
360 bool dumpMem = false;
361 for (size_t i = 0; i < args.size(); i++) {
362 if (args[i] == String16("-m")) {
363 dumpMem = true;
364 }
365 }
366 if (dumpMem) {
367 result.append("\nDumping memory:\n");
368 std::string s = dumpMemoryAddresses(100 /* limit */);
369 result.append(s.c_str(), s.size());
370 }
371 #else
372 (void)args;
373 #endif
374 }
375 write(fd, result.string(), result.size());
376 return NO_ERROR;
377 }
378
379