1 // Copyright 2020, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! This crate provides some safe wrappers around the libselinux API. It is currently limited
16 //! to the API surface that Keystore 2.0 requires to perform permission checks against
17 //! the SEPolicy. Notably, it provides wrappers for:
18 //! * getcon
19 //! * selinux_check_access
20 //! * selabel_lookup for the keystore2_key backend.
21 //! And it provides an owning wrapper around context strings `Context`.
22
23 use anyhow::Context as AnyhowContext;
24 use anyhow::{anyhow, Result};
25 use lazy_static::lazy_static;
26 pub use selinux::pid_t;
27 use selinux::SELABEL_CTX_ANDROID_KEYSTORE2_KEY;
28 use selinux::SELINUX_CB_LOG;
29 use selinux_bindgen as selinux;
30 use std::ffi::{CStr, CString};
31 use std::fmt;
32 use std::io;
33 use std::marker::{Send, Sync};
34 pub use std::ops::Deref;
35 use std::os::raw::c_char;
36 use std::ptr;
37 use std::sync;
38
39 static SELINUX_LOG_INIT: sync::Once = sync::Once::new();
40
41 lazy_static! {
42 /// `selinux_check_access` is only thread safe if avc_init was called with lock callbacks.
43 /// However, avc_init is deprecated and not exported by androids version of libselinux.
44 /// `selinux_set_callbacks` does not allow setting lock callbacks. So the only option
45 /// that remains right now is to put a big lock around calls into libselinux.
46 /// TODO b/188079221 It should suffice to protect `selinux_check_access` but until we are
47 /// certain of that, we leave the extra locks in place
48 static ref LIB_SELINUX_LOCK: sync::Mutex<()> = Default::default();
49 }
50
redirect_selinux_logs_to_logcat()51 fn redirect_selinux_logs_to_logcat() {
52 // `selinux_set_callback` assigns the static lifetime function pointer
53 // `selinux_log_callback` to a static lifetime variable.
54 let cb = selinux::selinux_callback { func_log: Some(selinux::selinux_log_callback) };
55 unsafe {
56 selinux::selinux_set_callback(SELINUX_CB_LOG as i32, cb);
57 }
58 }
59
60 // This function must be called before any entry point into lib selinux.
61 // Or leave a comment reasoning why calling this macro is not necessary
62 // for a given entry point.
init_logger_once()63 fn init_logger_once() {
64 SELINUX_LOG_INIT.call_once(redirect_selinux_logs_to_logcat)
65 }
66
67 /// Selinux Error code.
68 #[derive(thiserror::Error, Debug, PartialEq)]
69 pub enum Error {
70 /// Indicates that an access check yielded no access.
71 #[error("Permission Denied")]
72 PermissionDenied,
73 /// Indicates an unexpected system error. Nested string provides some details.
74 #[error("Selinux SystemError: {0}")]
75 SystemError(String),
76 }
77
78 impl Error {
79 /// Constructs a `PermissionDenied` error.
perm() -> Self80 pub fn perm() -> Self {
81 Error::PermissionDenied
82 }
sys<T: Into<String>>(s: T) -> Self83 fn sys<T: Into<String>>(s: T) -> Self {
84 Error::SystemError(s.into())
85 }
86 }
87
88 /// Context represents an SELinux context string. It can take ownership of a raw
89 /// s-string as allocated by `getcon` or `selabel_lookup`. In this case it uses
90 /// `freecon` to free the resources when dropped. In its second variant it stores
91 /// an `std::ffi::CString` that can be initialized from a Rust string slice.
92 #[derive(Debug)]
93 pub enum Context {
94 /// Wraps a raw context c-string as returned by libselinux.
95 Raw(*mut ::std::os::raw::c_char),
96 /// Stores a context string as `std::ffi::CString`.
97 CString(CString),
98 }
99
100 impl PartialEq for Context {
eq(&self, other: &Self) -> bool101 fn eq(&self, other: &Self) -> bool {
102 // We dereference both and thereby delegate the comparison
103 // to `CStr`'s implementation of `PartialEq`.
104 **self == **other
105 }
106 }
107
108 impl Eq for Context {}
109
110 impl fmt::Display for Context {
fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result111 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
112 write!(f, "{}", (**self).to_str().unwrap_or("Invalid context"))
113 }
114 }
115
116 impl Drop for Context {
drop(&mut self)117 fn drop(&mut self) {
118 if let Self::Raw(p) = self {
119 // No need to initialize the logger here, because
120 // `freecon` cannot run unless `Backend::lookup` or `getcon`
121 // has run.
122 unsafe { selinux::freecon(*p) };
123 }
124 }
125 }
126
127 impl Deref for Context {
128 type Target = CStr;
129
deref(&self) -> &Self::Target130 fn deref(&self) -> &Self::Target {
131 match self {
132 Self::Raw(p) => unsafe { CStr::from_ptr(*p) },
133 Self::CString(cstr) => &cstr,
134 }
135 }
136 }
137
138 impl Context {
139 /// Initializes the `Context::CString` variant from a Rust string slice.
new(con: &str) -> Result<Self>140 pub fn new(con: &str) -> Result<Self> {
141 Ok(Self::CString(
142 CString::new(con)
143 .with_context(|| format!("Failed to create Context with \"{}\"", con))?,
144 ))
145 }
146 }
147
148 /// The backend trait provides a uniform interface to all libselinux context backends.
149 /// Currently, we only implement the KeystoreKeyBackend though.
150 pub trait Backend {
151 /// Implementers use libselinux `selabel_lookup` to lookup the context for the given `key`.
lookup(&self, key: &str) -> Result<Context>152 fn lookup(&self, key: &str) -> Result<Context>;
153 }
154
155 /// Keystore key backend takes onwnership of the SELinux context handle returned by
156 /// `selinux_android_keystore2_key_context_handle` and uses `selabel_close` to free
157 /// the handle when dropped.
158 /// It implements `Backend` to provide keystore_key label lookup functionality.
159 pub struct KeystoreKeyBackend {
160 handle: *mut selinux::selabel_handle,
161 }
162
163 // KeystoreKeyBackend is Sync because selabel_lookup is thread safe.
164 unsafe impl Sync for KeystoreKeyBackend {}
165 unsafe impl Send for KeystoreKeyBackend {}
166
167 impl KeystoreKeyBackend {
168 const BACKEND_TYPE: i32 = SELABEL_CTX_ANDROID_KEYSTORE2_KEY as i32;
169
170 /// Creates a new instance representing an SELinux context handle as returned by
171 /// `selinux_android_keystore2_key_context_handle`.
new() -> Result<Self>172 pub fn new() -> Result<Self> {
173 init_logger_once();
174 let _lock = LIB_SELINUX_LOCK.lock().unwrap();
175
176 let handle = unsafe { selinux::selinux_android_keystore2_key_context_handle() };
177 if handle.is_null() {
178 return Err(anyhow!(Error::sys("Failed to open KeystoreKeyBackend")));
179 }
180 Ok(KeystoreKeyBackend { handle })
181 }
182 }
183
184 impl Drop for KeystoreKeyBackend {
drop(&mut self)185 fn drop(&mut self) {
186 // No need to initialize the logger here because it cannot be called unless
187 // KeystoreKeyBackend::new has run.
188 unsafe { selinux::selabel_close(self.handle) };
189 }
190 }
191
192 // Because KeystoreKeyBackend is Sync and Send, member function must never call
193 // non thread safe libselinux functions. As of this writing no non thread safe
194 // functions exist that could be called on a label backend handle.
195 impl Backend for KeystoreKeyBackend {
lookup(&self, key: &str) -> Result<Context>196 fn lookup(&self, key: &str) -> Result<Context> {
197 let mut con: *mut c_char = ptr::null_mut();
198 let c_key = CString::new(key).with_context(|| {
199 format!("selabel_lookup: Failed to convert key \"{}\" to CString.", key)
200 })?;
201 match unsafe {
202 // No need to initialize the logger here because it cannot run unless
203 // KeystoreKeyBackend::new has run.
204 let _lock = LIB_SELINUX_LOCK.lock().unwrap();
205
206 selinux::selabel_lookup(self.handle, &mut con, c_key.as_ptr(), Self::BACKEND_TYPE)
207 } {
208 0 => {
209 if !con.is_null() {
210 Ok(Context::Raw(con))
211 } else {
212 Err(anyhow!(Error::sys(format!(
213 "selabel_lookup returned a NULL context for key \"{}\"",
214 key
215 ))))
216 }
217 }
218 _ => Err(anyhow!(io::Error::last_os_error()))
219 .with_context(|| format!("selabel_lookup failed for key \"{}\"", key)),
220 }
221 }
222 }
223
224 /// Safe wrapper around libselinux `getcon`. It initializes the `Context::Raw` variant of the
225 /// returned `Context`.
226 ///
227 /// ## Return
228 /// * Ok(Context::Raw()) if successful.
229 /// * Err(Error::sys()) if getcon succeeded but returned a NULL pointer.
230 /// * Err(io::Error::last_os_error()) if getcon failed.
getcon() -> Result<Context>231 pub fn getcon() -> Result<Context> {
232 init_logger_once();
233 let _lock = LIB_SELINUX_LOCK.lock().unwrap();
234
235 let mut con: *mut c_char = ptr::null_mut();
236 match unsafe { selinux::getcon(&mut con) } {
237 0 => {
238 if !con.is_null() {
239 Ok(Context::Raw(con))
240 } else {
241 Err(anyhow!(Error::sys("getcon returned a NULL context")))
242 }
243 }
244 _ => Err(anyhow!(io::Error::last_os_error())).context("getcon failed"),
245 }
246 }
247
248 /// Safe wrapper around libselinux `getpidcon`. It initializes the `Context::Raw` variant of the
249 /// returned `Context`.
250 ///
251 /// ## Return
252 /// * Ok(Context::Raw()) if successful.
253 /// * Err(Error::sys()) if getpidcon succeeded but returned a NULL pointer.
254 /// * Err(io::Error::last_os_error()) if getpidcon failed.
getpidcon(pid: selinux::pid_t) -> Result<Context>255 pub fn getpidcon(pid: selinux::pid_t) -> Result<Context> {
256 init_logger_once();
257 let _lock = LIB_SELINUX_LOCK.lock().unwrap();
258
259 let mut con: *mut c_char = ptr::null_mut();
260 match unsafe { selinux::getpidcon(pid, &mut con) } {
261 0 => {
262 if !con.is_null() {
263 Ok(Context::Raw(con))
264 } else {
265 Err(anyhow!(Error::sys(format!(
266 "getpidcon returned a NULL context for pid {}",
267 pid
268 ))))
269 }
270 }
271 _ => Err(anyhow!(io::Error::last_os_error()))
272 .context(format!("getpidcon failed for pid {}", pid)),
273 }
274 }
275
276 /// Safe wrapper around selinux_check_access.
277 ///
278 /// ## Return
279 /// * Ok(()) iff the requested access was granted.
280 /// * Err(anyhow!(Error::perm()))) if the permission was denied.
281 /// * Err(anyhow!(ioError::last_os_error())) if any other error occurred while performing
282 /// the access check.
check_access(source: &CStr, target: &CStr, tclass: &str, perm: &str) -> Result<()>283 pub fn check_access(source: &CStr, target: &CStr, tclass: &str, perm: &str) -> Result<()> {
284 init_logger_once();
285
286 let c_tclass = CString::new(tclass).with_context(|| {
287 format!("check_access: Failed to convert tclass \"{}\" to CString.", tclass)
288 })?;
289 let c_perm = CString::new(perm).with_context(|| {
290 format!("check_access: Failed to convert perm \"{}\" to CString.", perm)
291 })?;
292
293 match unsafe {
294 let _lock = LIB_SELINUX_LOCK.lock().unwrap();
295
296 selinux::selinux_check_access(
297 source.as_ptr(),
298 target.as_ptr(),
299 c_tclass.as_ptr(),
300 c_perm.as_ptr(),
301 ptr::null_mut(),
302 )
303 } {
304 0 => Ok(()),
305 _ => {
306 let e = io::Error::last_os_error();
307 match e.kind() {
308 io::ErrorKind::PermissionDenied => Err(anyhow!(Error::perm())),
309 _ => Err(anyhow!(e)),
310 }
311 .with_context(|| {
312 format!(
313 concat!(
314 "check_access: Failed with sctx: {:?} tctx: {:?}",
315 " with target class: \"{}\" perm: \"{}\""
316 ),
317 source, target, tclass, perm
318 )
319 })
320 }
321 }
322 }
323
324 #[cfg(test)]
325 mod tests {
326 use super::*;
327 use anyhow::Result;
328
329 /// The su_key namespace as defined in su.te and keystore_key_contexts of the
330 /// SePolicy (system/sepolicy).
331 static SU_KEY_NAMESPACE: &str = "0";
332 /// The shell_key namespace as defined in shell.te and keystore_key_contexts of the
333 /// SePolicy (system/sepolicy).
334 static SHELL_KEY_NAMESPACE: &str = "1";
335
check_context() -> Result<(Context, &'static str, bool)>336 fn check_context() -> Result<(Context, &'static str, bool)> {
337 let context = getcon()?;
338 match context.to_str().unwrap() {
339 "u:r:su:s0" => Ok((context, SU_KEY_NAMESPACE, true)),
340 "u:r:shell:s0" => Ok((context, SHELL_KEY_NAMESPACE, false)),
341 c => Err(anyhow!(format!(
342 "This test must be run as \"su\" or \"shell\". Current context: \"{}\"",
343 c
344 ))),
345 }
346 }
347
348 #[test]
test_getcon() -> Result<()>349 fn test_getcon() -> Result<()> {
350 check_context()?;
351 Ok(())
352 }
353
354 #[test]
test_label_lookup() -> Result<()>355 fn test_label_lookup() -> Result<()> {
356 let (_context, namespace, is_su) = check_context()?;
357 let backend = crate::KeystoreKeyBackend::new()?;
358 let context = backend.lookup(namespace)?;
359 if is_su {
360 assert_eq!(context.to_str(), Ok("u:object_r:su_key:s0"));
361 } else {
362 assert_eq!(context.to_str(), Ok("u:object_r:shell_key:s0"));
363 }
364 Ok(())
365 }
366
367 #[test]
context_from_string() -> Result<()>368 fn context_from_string() -> Result<()> {
369 let tctx = Context::new("u:object_r:keystore:s0").unwrap();
370 let sctx = Context::new("u:r:system_server:s0").unwrap();
371 check_access(&sctx, &tctx, "keystore2_key", "use")?;
372 Ok(())
373 }
374
375 mod perm {
376 use super::super::*;
377 use super::*;
378 use anyhow::Result;
379
380 /// check_key_perm(perm, privileged, priv_domain)
381 /// `perm` is a permission of the keystore2_key class and `privileged` is a boolean
382 /// indicating whether the permission is considered privileged.
383 /// Privileged permissions are expected to be denied to `shell` users but granted
384 /// to the given priv_domain.
385 macro_rules! check_key_perm {
386 // "use" is a keyword and cannot be used as an identifier, but we must keep
387 // the permission string intact. So we map the identifier name on use_ while using
388 // the permission string "use". In all other cases we can simply use the stringified
389 // identifier as permission string.
390 (use, $privileged:expr) => {
391 check_key_perm!(use_, $privileged, "use");
392 };
393 ($perm:ident, $privileged:expr) => {
394 check_key_perm!($perm, $privileged, stringify!($perm));
395 };
396 ($perm:ident, $privileged:expr, $p_str:expr) => {
397 #[test]
398 fn $perm() -> Result<()> {
399 android_logger::init_once(
400 android_logger::Config::default()
401 .with_tag("keystore_selinux_tests")
402 .with_min_level(log::Level::Debug),
403 );
404 let scontext = Context::new("u:r:shell:s0")?;
405 let backend = KeystoreKeyBackend::new()?;
406 let tcontext = backend.lookup(SHELL_KEY_NAMESPACE)?;
407
408 if $privileged {
409 assert_eq!(
410 Some(&Error::perm()),
411 check_access(
412 &scontext,
413 &tcontext,
414 "keystore2_key",
415 $p_str
416 )
417 .err()
418 .unwrap()
419 .root_cause()
420 .downcast_ref::<Error>()
421 );
422 } else {
423 assert!(check_access(
424 &scontext,
425 &tcontext,
426 "keystore2_key",
427 $p_str
428 )
429 .is_ok());
430 }
431 Ok(())
432 }
433 };
434 }
435
436 check_key_perm!(manage_blob, true);
437 check_key_perm!(delete, false);
438 check_key_perm!(use_dev_id, true);
439 check_key_perm!(req_forced_op, true);
440 check_key_perm!(gen_unique_id, true);
441 check_key_perm!(grant, true);
442 check_key_perm!(get_info, false);
443 check_key_perm!(rebind, false);
444 check_key_perm!(update, false);
445 check_key_perm!(use, false);
446
447 macro_rules! check_keystore_perm {
448 ($perm:ident) => {
449 #[test]
450 fn $perm() -> Result<()> {
451 let ks_context = Context::new("u:object_r:keystore:s0")?;
452 let priv_context = Context::new("u:r:system_server:s0")?;
453 let unpriv_context = Context::new("u:r:shell:s0")?;
454 assert!(check_access(
455 &priv_context,
456 &ks_context,
457 "keystore2",
458 stringify!($perm)
459 )
460 .is_ok());
461 assert_eq!(
462 Some(&Error::perm()),
463 check_access(&unpriv_context, &ks_context, "keystore2", stringify!($perm))
464 .err()
465 .unwrap()
466 .root_cause()
467 .downcast_ref::<Error>()
468 );
469 Ok(())
470 }
471 };
472 }
473
474 check_keystore_perm!(add_auth);
475 check_keystore_perm!(clear_ns);
476 check_keystore_perm!(lock);
477 check_keystore_perm!(reset);
478 check_keystore_perm!(unlock);
479 }
480
481 #[test]
test_getpidcon()482 fn test_getpidcon() {
483 // Check that `getpidcon` of our pid is equal to what `getcon` returns.
484 // And by using `unwrap` we make sure that both also have to return successfully
485 // fully to pass the test.
486 assert_eq!(getpidcon(std::process::id() as i32).unwrap(), getcon().unwrap());
487 }
488 }
489