1 //
2 // Copyright (C) 2014 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include <sysexits.h>
18
19 #include <memory>
20 #include <string>
21
22 #include <base/command_line.h>
23 #include <brillo/daemons/dbus_daemon.h>
24 #include <brillo/dbus/async_event_sequencer.h>
25 #include <brillo/minijail/minijail.h>
26 #include <brillo/syslog_logging.h>
27 #include <brillo/userdb_utils.h>
28
29 #include "attestation/common/dbus_interface.h"
30 #include "attestation/server/attestation_service.h"
31 #include "attestation/server/dbus_service.h"
32
33 #include <chromeos/libminijail.h>
34
35 namespace {
36
37 const uid_t kRootUID = 0;
38 const char kAttestationUser[] = "attestation";
39 const char kAttestationGroup[] = "attestation";
40 const char kAttestationSeccompPath[] =
41 "/usr/share/policy/attestationd-seccomp.policy";
42
InitMinijailSandbox()43 void InitMinijailSandbox() {
44 uid_t attestation_uid;
45 gid_t attestation_gid;
46 CHECK(brillo::userdb::GetUserInfo(kAttestationUser,
47 &attestation_uid,
48 &attestation_gid))
49 << "Error getting attestation uid and gid.";
50 CHECK_EQ(getuid(), kRootUID) << "AttestationDaemon not initialized as root.";
51 brillo::Minijail* minijail = brillo::Minijail::GetInstance();
52 struct minijail* jail = minijail->New();
53
54 minijail->DropRoot(jail, kAttestationUser, kAttestationGroup);
55 minijail_inherit_usergroups(jail);
56 minijail->UseSeccompFilter(jail, kAttestationSeccompPath);
57 minijail->Enter(jail);
58 minijail->Destroy(jail);
59 CHECK_EQ(getuid(), attestation_uid)
60 << "AttestationDaemon was not able to drop to attestation user.";
61 CHECK_EQ(getgid(), attestation_gid)
62 << "AttestationDaemon was not able to drop to attestation group.";
63 }
64
65 } // namespace
66
67 using brillo::dbus_utils::AsyncEventSequencer;
68
69 class AttestationDaemon : public brillo::DBusServiceDaemon {
70 public:
AttestationDaemon()71 AttestationDaemon()
72 : brillo::DBusServiceDaemon(attestation::kAttestationServiceName) {
73 attestation_service_.reset(new attestation::AttestationService);
74 // Move initialize call down to OnInit
75 CHECK(attestation_service_->Initialize());
76 }
77
78 protected:
OnInit()79 int OnInit() override {
80 int result = brillo::DBusServiceDaemon::OnInit();
81 if (result != EX_OK) {
82 LOG(ERROR) << "Error starting attestation dbus daemon.";
83 return result;
84 }
85 return EX_OK;
86 }
87
RegisterDBusObjectsAsync(AsyncEventSequencer * sequencer)88 void RegisterDBusObjectsAsync(AsyncEventSequencer* sequencer) override {
89 dbus_service_.reset(new attestation::DBusService(
90 bus_,
91 attestation_service_.get()));
92 dbus_service_->Register(sequencer->GetHandler("Register() failed.", true));
93 }
94
95 private:
96 std::unique_ptr<attestation::AttestationInterface> attestation_service_;
97 std::unique_ptr<attestation::DBusService> dbus_service_;
98
99 DISALLOW_COPY_AND_ASSIGN(AttestationDaemon);
100 };
101
main(int argc,char * argv[])102 int main(int argc, char* argv[]) {
103 base::CommandLine::Init(argc, argv);
104 base::CommandLine *cl = base::CommandLine::ForCurrentProcess();
105 int flags = brillo::kLogToSyslog;
106 if (cl->HasSwitch("log_to_stderr")) {
107 flags |= brillo::kLogToStderr;
108 }
109 brillo::InitLog(flags);
110 AttestationDaemon daemon;
111 LOG(INFO) << "Attestation Daemon Started.";
112 InitMinijailSandbox();
113 return daemon.Run();
114 }
115