• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "gatekeeperd"
18 
19 #include "IGateKeeperService.h"
20 
21 #include <errno.h>
22 #include <stdint.h>
23 #include <inttypes.h>
24 #include <fcntl.h>
25 #include <unistd.h>
26 
27 #include <cutils/log.h>
28 #include <utils/Log.h>
29 
30 #include <binder/IPCThreadState.h>
31 #include <binder/IServiceManager.h>
32 #include <binder/PermissionCache.h>
33 #include <utils/String16.h>
34 #include <utils/Log.h>
35 
36 #include <keystore/IKeystoreService.h>
37 #include <keystore/keystore.h> // For error code
38 #include <gatekeeper/password_handle.h> // for password_handle_t
39 #include <hardware/gatekeeper.h>
40 #include <hardware/hw_auth_token.h>
41 
42 #include "SoftGateKeeperDevice.h"
43 #include "IUserManager.h"
44 
45 namespace android {
46 
47 static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
48 static const String16 DUMP_PERMISSION("android.permission.DUMP");
49 
50 class GateKeeperProxy : public BnGateKeeperService {
51 public:
GateKeeperProxy()52     GateKeeperProxy() {
53         int ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &module);
54         device = NULL;
55 
56         if (ret < 0) {
57             ALOGW("falling back to software GateKeeper");
58             soft_device.reset(new SoftGateKeeperDevice());
59         } else {
60             ret = gatekeeper_open(module, &device);
61             if (ret < 0)
62                 LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to open GateKeeper HAL");
63         }
64 
65         if (mark_cold_boot()) {
66             ALOGI("cold boot: clearing state");
67             if (device != NULL && device->delete_all_users != NULL) {
68                 device->delete_all_users(device);
69             }
70         }
71     }
72 
~GateKeeperProxy()73     virtual ~GateKeeperProxy() {
74         if (device) gatekeeper_close(device);
75     }
76 
store_sid(uint32_t uid,uint64_t sid)77     void store_sid(uint32_t uid, uint64_t sid) {
78         char filename[21];
79         sprintf(filename, "%u", uid);
80         int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
81         if (fd < 0) {
82             ALOGE("could not open file: %s: %s", filename, strerror(errno));
83             return;
84         }
85         write(fd, &sid, sizeof(sid));
86         close(fd);
87     }
88 
mark_cold_boot()89     bool mark_cold_boot() {
90         const char *filename = ".coldboot";
91         if (access(filename, F_OK) == -1) {
92             int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
93             if (fd < 0) {
94                 ALOGE("could not open file: %s : %s", filename, strerror(errno));
95                 return false;
96             }
97             close(fd);
98             return true;
99         }
100         return false;
101     }
102 
maybe_store_sid(uint32_t uid,uint64_t sid)103     void maybe_store_sid(uint32_t uid, uint64_t sid) {
104         char filename[21];
105         sprintf(filename, "%u", uid);
106         if (access(filename, F_OK) == -1) {
107             store_sid(uid, sid);
108         }
109     }
110 
read_sid(uint32_t uid)111     uint64_t read_sid(uint32_t uid) {
112         char filename[21];
113         uint64_t sid;
114         sprintf(filename, "%u", uid);
115         int fd = open(filename, O_RDONLY);
116         if (fd < 0) return 0;
117         read(fd, &sid, sizeof(sid));
118         close(fd);
119         return sid;
120     }
121 
clear_sid(uint32_t uid)122     void clear_sid(uint32_t uid) {
123         char filename[21];
124         sprintf(filename, "%u", uid);
125         if (remove(filename) < 0) {
126             ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
127             store_sid(uid, 0);
128         }
129     }
130 
enroll(uint32_t uid,const uint8_t * current_password_handle,uint32_t current_password_handle_length,const uint8_t * current_password,uint32_t current_password_length,const uint8_t * desired_password,uint32_t desired_password_length,uint8_t ** enrolled_password_handle,uint32_t * enrolled_password_handle_length)131     virtual int enroll(uint32_t uid,
132             const uint8_t *current_password_handle, uint32_t current_password_handle_length,
133             const uint8_t *current_password, uint32_t current_password_length,
134             const uint8_t *desired_password, uint32_t desired_password_length,
135             uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
136         IPCThreadState* ipc = IPCThreadState::self();
137         const int calling_pid = ipc->getCallingPid();
138         const int calling_uid = ipc->getCallingUid();
139         if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
140             return PERMISSION_DENIED;
141         }
142 
143         // need a desired password to enroll
144         if (desired_password_length == 0) return -EINVAL;
145 
146         int ret;
147         if (device) {
148             const gatekeeper::password_handle_t *handle =
149                     reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
150 
151             if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
152                 // handle is being re-enrolled from a software version. HAL probably won't accept
153                 // the handle as valid, so we nullify it and enroll from scratch
154                 current_password_handle = NULL;
155                 current_password_handle_length = 0;
156                 current_password = NULL;
157                 current_password_length = 0;
158             }
159 
160             ret = device->enroll(device, uid, current_password_handle, current_password_handle_length,
161                     current_password, current_password_length,
162                     desired_password, desired_password_length,
163                     enrolled_password_handle, enrolled_password_handle_length);
164         } else {
165             ret = soft_device->enroll(uid,
166                     current_password_handle, current_password_handle_length,
167                     current_password, current_password_length,
168                     desired_password, desired_password_length,
169                     enrolled_password_handle, enrolled_password_handle_length);
170         }
171 
172         if (ret == 0) {
173             gatekeeper::password_handle_t *handle =
174                     reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
175             store_sid(uid, handle->user_id);
176             bool rr;
177 
178             // immediately verify this password so we don't ask the user to enter it again
179             // if they just created it.
180             verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
181                     desired_password_length, &rr);
182         }
183 
184         return ret;
185     }
186 
verify(uint32_t uid,const uint8_t * enrolled_password_handle,uint32_t enrolled_password_handle_length,const uint8_t * provided_password,uint32_t provided_password_length,bool * request_reenroll)187     virtual int verify(uint32_t uid,
188             const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
189             const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) {
190         uint8_t *auth_token;
191         uint32_t auth_token_length;
192         return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
193                 provided_password, provided_password_length,
194                 &auth_token, &auth_token_length, request_reenroll);
195     }
196 
verifyChallenge(uint32_t uid,uint64_t challenge,const uint8_t * enrolled_password_handle,uint32_t enrolled_password_handle_length,const uint8_t * provided_password,uint32_t provided_password_length,uint8_t ** auth_token,uint32_t * auth_token_length,bool * request_reenroll)197     virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
198             const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
199             const uint8_t *provided_password, uint32_t provided_password_length,
200             uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
201         IPCThreadState* ipc = IPCThreadState::self();
202         const int calling_pid = ipc->getCallingPid();
203         const int calling_uid = ipc->getCallingUid();
204         if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
205             return PERMISSION_DENIED;
206         }
207 
208         // can't verify if we're missing either param
209         if ((enrolled_password_handle_length | provided_password_length) == 0)
210             return -EINVAL;
211 
212         int ret;
213         if (device) {
214             const gatekeeper::password_handle_t *handle =
215                     reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
216             // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
217             // a HAL if there was none before
218             if (handle->version == 0 || handle->hardware_backed) {
219                 ret = device->verify(device, uid, challenge,
220                     enrolled_password_handle, enrolled_password_handle_length,
221                     provided_password, provided_password_length, auth_token, auth_token_length,
222                     request_reenroll);
223             } else {
224                 // upgrade scenario, a HAL has been added to this device where there was none before
225                 SoftGateKeeperDevice soft_dev;
226                 ret = soft_dev.verify(uid, challenge,
227                     enrolled_password_handle, enrolled_password_handle_length,
228                     provided_password, provided_password_length, auth_token, auth_token_length,
229                     request_reenroll);
230 
231                 if (ret == 0) {
232                     // success! re-enroll with HAL
233                     *request_reenroll = true;
234                 }
235             }
236         } else {
237             ret = soft_device->verify(uid, challenge,
238                 enrolled_password_handle, enrolled_password_handle_length,
239                 provided_password, provided_password_length, auth_token, auth_token_length,
240                 request_reenroll);
241         }
242 
243         if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
244             // TODO: cache service?
245             sp<IServiceManager> sm = defaultServiceManager();
246             sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
247             sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
248             if (service != NULL) {
249                 status_t ret = service->addAuthToken(*auth_token, *auth_token_length);
250                 if (ret != ResponseCode::NO_ERROR) {
251                     ALOGE("Falure sending auth token to KeyStore: %d", ret);
252                 }
253             } else {
254                 ALOGE("Unable to communicate with KeyStore");
255             }
256         }
257 
258         if (ret == 0) {
259             maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
260                         enrolled_password_handle)->user_id);
261         }
262 
263         return ret;
264     }
265 
getSecureUserId(uint32_t uid)266     virtual uint64_t getSecureUserId(uint32_t uid) {
267         uint64_t sid = read_sid(uid);
268          if (sid == 0) {
269             // might be a work profile, look up the parent
270             sp<IServiceManager> sm = defaultServiceManager();
271             sp<IBinder> binder = sm->getService(String16("user"));
272             sp<IUserManager> um = interface_cast<IUserManager>(binder);
273             int32_t parent = um->getCredentialOwnerProfile(uid);
274             if (parent < 0) {
275                 return 0;
276             } else if (parent != (int32_t) uid) {
277                 return read_sid(parent);
278             }
279         }
280         return sid;
281 
282     }
283 
clearSecureUserId(uint32_t uid)284     virtual void clearSecureUserId(uint32_t uid) {
285         IPCThreadState* ipc = IPCThreadState::self();
286         const int calling_pid = ipc->getCallingPid();
287         const int calling_uid = ipc->getCallingUid();
288         if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
289             ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
290             return;
291         }
292         clear_sid(uid);
293 
294         if (device != NULL && device->delete_user != NULL) {
295             device->delete_user(device, uid);
296         }
297     }
298 
dump(int fd,const Vector<String16> &)299     virtual status_t dump(int fd, const Vector<String16> &) {
300         IPCThreadState* ipc = IPCThreadState::self();
301         const int pid = ipc->getCallingPid();
302         const int uid = ipc->getCallingUid();
303         if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
304             return PERMISSION_DENIED;
305         }
306 
307         if (device == NULL) {
308             const char *result = "Device not available";
309             write(fd, result, strlen(result) + 1);
310         } else {
311             const char *result = "OK";
312             write(fd, result, strlen(result) + 1);
313         }
314 
315         return NO_ERROR;
316     }
317 
318 private:
319     gatekeeper_device_t *device;
320     UniquePtr<SoftGateKeeperDevice> soft_device;
321     const hw_module_t *module;
322 };
323 }// namespace android
324 
main(int argc,char * argv[])325 int main(int argc, char* argv[]) {
326     ALOGI("Starting gatekeeperd...");
327     if (argc < 2) {
328         ALOGE("A directory must be specified!");
329         return 1;
330     }
331     if (chdir(argv[1]) == -1) {
332         ALOGE("chdir: %s: %s", argv[1], strerror(errno));
333         return 1;
334     }
335 
336     android::sp<android::IServiceManager> sm = android::defaultServiceManager();
337     android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
338     android::status_t ret = sm->addService(
339             android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
340     if (ret != android::OK) {
341         ALOGE("Couldn't register binder service!");
342         return -1;
343     }
344 
345     /*
346      * We're the only thread in existence, so we're just going to process
347      * Binder transaction as a single-threaded program.
348      */
349     android::IPCThreadState::self()->joinThreadPool();
350     return 0;
351 }
352