1 /* Copyright 2008 The Android Open Source Project 2 */ 3 4 #include <errno.h> 5 #include <fcntl.h> 6 #include <inttypes.h> 7 #include <stdio.h> 8 #include <stdlib.h> 9 #include <string.h> 10 11 #include <cutils/android_filesystem_config.h> 12 #include <cutils/multiuser.h> 13 14 #include <selinux/android.h> 15 #include <selinux/avc.h> 16 17 #include "binder.h" 18 19 #ifdef VENDORSERVICEMANAGER 20 #define LOG_TAG "VendorServiceManager" 21 #else 22 #define LOG_TAG "ServiceManager" 23 #endif 24 #include <log/log.h> 25 26 struct audit_data { 27 pid_t pid; 28 uid_t uid; 29 const char *name; 30 }; 31 32 const char *str8(const uint16_t *x, size_t x_len) 33 { 34 static char buf[128]; 35 size_t max = 127; 36 char *p = buf; 37 38 if (x_len < max) { 39 max = x_len; 40 } 41 42 if (x) { 43 while ((max > 0) && (*x != '\0')) { 44 *p++ = *x++; 45 max--; 46 } 47 } 48 *p++ = 0; 49 return buf; 50 } 51 52 int str16eq(const uint16_t *a, const char *b) 53 { 54 while (*a && *b) 55 if (*a++ != *b++) return 0; 56 if (*a || *b) 57 return 0; 58 return 1; 59 } 60 61 static char *service_manager_context; 62 static struct selabel_handle* sehandle; 63 64 static bool check_mac_perms(pid_t spid, const char* sid, uid_t uid, const char *tctx, const char *perm, const char *name) 65 { 66 char *lookup_sid = NULL; 67 const char *class = "service_manager"; 68 bool allowed; 69 struct audit_data ad; 70 71 if (sid == NULL && getpidcon(spid, &lookup_sid) < 0) { 72 ALOGE("SELinux: getpidcon(pid=%d) failed to retrieve pid context.\n", spid); 73 return false; 74 } 75 76 ad.pid = spid; 77 ad.uid = uid; 78 ad.name = name; 79 80 if (sid == NULL) { 81 android_errorWriteLog(0x534e4554, "121035042"); 82 } 83 84 int result = selinux_check_access(sid ? sid : lookup_sid, tctx, class, perm, (void *) &ad); 85 allowed = (result == 0); 86 87 freecon(lookup_sid); 88 return allowed; 89 } 90 91 static bool check_mac_perms_from_getcon(pid_t spid, const char* sid, uid_t uid, const char *perm) 92 { 93 return check_mac_perms(spid, sid, uid, service_manager_context, perm, NULL); 94 } 95 96 static bool check_mac_perms_from_lookup(pid_t spid, const char* sid, uid_t uid, const char *perm, const char *name) 97 { 98 bool allowed; 99 char *tctx = NULL; 100 101 if (!sehandle) { 102 ALOGE("SELinux: Failed to find sehandle. Aborting service_manager.\n"); 103 abort(); 104 } 105 106 if (selabel_lookup(sehandle, &tctx, name, 0) != 0) { 107 ALOGE("SELinux: No match for %s in service_contexts.\n", name); 108 return false; 109 } 110 111 allowed = check_mac_perms(spid, sid, uid, tctx, perm, name); 112 freecon(tctx); 113 return allowed; 114 } 115 116 static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, const char* sid, uid_t uid) 117 { 118 const char *perm = "add"; 119 120 if (multiuser_get_app_id(uid) >= AID_APP) { 121 return 0; /* Don't allow apps to register services */ 122 } 123 124 return check_mac_perms_from_lookup(spid, sid, uid, perm, str8(name, name_len)) ? 1 : 0; 125 } 126 127 static int svc_can_list(pid_t spid, const char* sid, uid_t uid) 128 { 129 const char *perm = "list"; 130 return check_mac_perms_from_getcon(spid, sid, uid, perm) ? 1 : 0; 131 } 132 133 static int svc_can_find(const uint16_t *name, size_t name_len, pid_t spid, const char* sid, uid_t uid) 134 { 135 const char *perm = "find"; 136 return check_mac_perms_from_lookup(spid, sid, uid, perm, str8(name, name_len)) ? 1 : 0; 137 } 138 139 struct svcinfo 140 { 141 struct svcinfo *next; 142 uint32_t handle; 143 struct binder_death death; 144 int allow_isolated; 145 uint32_t dumpsys_priority; 146 size_t len; 147 uint16_t name[0]; 148 }; 149 150 struct svcinfo *svclist = NULL; 151 152 struct svcinfo *find_svc(const uint16_t *s16, size_t len) 153 { 154 struct svcinfo *si; 155 156 for (si = svclist; si; si = si->next) { 157 if ((len == si->len) && 158 !memcmp(s16, si->name, len * sizeof(uint16_t))) { 159 return si; 160 } 161 } 162 return NULL; 163 } 164 165 void svcinfo_death(struct binder_state *bs, void *ptr) 166 { 167 struct svcinfo *si = (struct svcinfo* ) ptr; 168 169 ALOGI("service '%s' died\n", str8(si->name, si->len)); 170 if (si->handle) { 171 binder_release(bs, si->handle); 172 si->handle = 0; 173 } 174 } 175 176 uint16_t svcmgr_id[] = { 177 'a','n','d','r','o','i','d','.','o','s','.', 178 'I','S','e','r','v','i','c','e','M','a','n','a','g','e','r' 179 }; 180 181 182 uint32_t do_find_service(const uint16_t *s, size_t len, uid_t uid, pid_t spid, const char* sid) 183 { 184 struct svcinfo *si = find_svc(s, len); 185 186 if (!si || !si->handle) { 187 return 0; 188 } 189 190 if (!si->allow_isolated) { 191 // If this service doesn't allow access from isolated processes, 192 // then check the uid to see if it is isolated. 193 uid_t appid = uid % AID_USER; 194 if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) { 195 return 0; 196 } 197 } 198 199 if (!svc_can_find(s, len, spid, sid, uid)) { 200 return 0; 201 } 202 203 return si->handle; 204 } 205 206 int do_add_service(struct binder_state *bs, const uint16_t *s, size_t len, uint32_t handle, 207 uid_t uid, int allow_isolated, uint32_t dumpsys_priority, pid_t spid, const char* sid) { 208 struct svcinfo *si; 209 210 //ALOGI("add_service('%s',%x,%s) uid=%d\n", str8(s, len), handle, 211 // allow_isolated ? "allow_isolated" : "!allow_isolated", uid); 212 213 if (!handle || (len == 0) || (len > 127)) 214 return -1; 215 216 if (!svc_can_register(s, len, spid, sid, uid)) { 217 ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n", 218 str8(s, len), handle, uid); 219 return -1; 220 } 221 222 si = find_svc(s, len); 223 if (si) { 224 if (si->handle) { 225 ALOGE("add_service('%s',%x) uid=%d - ALREADY REGISTERED, OVERRIDE\n", 226 str8(s, len), handle, uid); 227 svcinfo_death(bs, si); 228 } 229 si->handle = handle; 230 } else { 231 si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t)); 232 if (!si) { 233 ALOGE("add_service('%s',%x) uid=%d - OUT OF MEMORY\n", 234 str8(s, len), handle, uid); 235 return -1; 236 } 237 si->handle = handle; 238 si->len = len; 239 memcpy(si->name, s, (len + 1) * sizeof(uint16_t)); 240 si->name[len] = '\0'; 241 si->death.func = (void*) svcinfo_death; 242 si->death.ptr = si; 243 si->allow_isolated = allow_isolated; 244 si->dumpsys_priority = dumpsys_priority; 245 si->next = svclist; 246 svclist = si; 247 } 248 249 binder_acquire(bs, handle); 250 binder_link_to_death(bs, handle, &si->death); 251 return 0; 252 } 253 254 int svcmgr_handler(struct binder_state *bs, 255 struct binder_transaction_data_secctx *txn_secctx, 256 struct binder_io *msg, 257 struct binder_io *reply) 258 { 259 struct svcinfo *si; 260 uint16_t *s; 261 size_t len; 262 uint32_t handle; 263 uint32_t strict_policy; 264 int allow_isolated; 265 uint32_t dumpsys_priority; 266 267 struct binder_transaction_data *txn = &txn_secctx->transaction_data; 268 269 //ALOGI("target=%p code=%d pid=%d uid=%d\n", 270 // (void*) txn->target.ptr, txn->code, txn->sender_pid, txn->sender_euid); 271 272 if (txn->target.ptr != BINDER_SERVICE_MANAGER) 273 return -1; 274 275 if (txn->code == PING_TRANSACTION) 276 return 0; 277 278 // Equivalent to Parcel::enforceInterface(), reading the RPC 279 // header with the strict mode policy mask and the interface name. 280 // Note that we ignore the strict_policy and don't propagate it 281 // further (since we do no outbound RPCs anyway). 282 strict_policy = bio_get_uint32(msg); 283 bio_get_uint32(msg); // Ignore worksource header. 284 s = bio_get_string16(msg, &len); 285 if (s == NULL) { 286 return -1; 287 } 288 289 if ((len != (sizeof(svcmgr_id) / 2)) || 290 memcmp(svcmgr_id, s, sizeof(svcmgr_id))) { 291 fprintf(stderr,"invalid id %s\n", str8(s, len)); 292 return -1; 293 } 294 295 if (sehandle && selinux_status_updated() > 0) { 296 #ifdef VENDORSERVICEMANAGER 297 struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle(); 298 #else 299 struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle(); 300 #endif 301 if (tmp_sehandle) { 302 selabel_close(sehandle); 303 sehandle = tmp_sehandle; 304 } 305 } 306 307 switch(txn->code) { 308 case SVC_MGR_GET_SERVICE: 309 case SVC_MGR_CHECK_SERVICE: 310 s = bio_get_string16(msg, &len); 311 if (s == NULL) { 312 return -1; 313 } 314 handle = do_find_service(s, len, txn->sender_euid, txn->sender_pid, 315 (const char*) txn_secctx->secctx); 316 if (!handle) 317 break; 318 bio_put_ref(reply, handle); 319 return 0; 320 321 case SVC_MGR_ADD_SERVICE: 322 s = bio_get_string16(msg, &len); 323 if (s == NULL) { 324 return -1; 325 } 326 handle = bio_get_ref(msg); 327 allow_isolated = bio_get_uint32(msg) ? 1 : 0; 328 dumpsys_priority = bio_get_uint32(msg); 329 if (do_add_service(bs, s, len, handle, txn->sender_euid, allow_isolated, dumpsys_priority, 330 txn->sender_pid, (const char*) txn_secctx->secctx)) 331 return -1; 332 break; 333 334 case SVC_MGR_LIST_SERVICES: { 335 uint32_t n = bio_get_uint32(msg); 336 uint32_t req_dumpsys_priority = bio_get_uint32(msg); 337 338 if (!svc_can_list(txn->sender_pid, (const char*) txn_secctx->secctx, txn->sender_euid)) { 339 ALOGE("list_service() uid=%d - PERMISSION DENIED\n", 340 txn->sender_euid); 341 return -1; 342 } 343 si = svclist; 344 // walk through the list of services n times skipping services that 345 // do not support the requested priority 346 while (si) { 347 if (si->dumpsys_priority & req_dumpsys_priority) { 348 if (n == 0) break; 349 n--; 350 } 351 si = si->next; 352 } 353 if (si) { 354 bio_put_string16(reply, si->name); 355 return 0; 356 } 357 return -1; 358 } 359 default: 360 ALOGE("unknown code %d\n", txn->code); 361 return -1; 362 } 363 364 bio_put_uint32(reply, 0); 365 return 0; 366 } 367 368 369 static int audit_callback(void *data, __unused security_class_t cls, char *buf, size_t len) 370 { 371 struct audit_data *ad = (struct audit_data *)data; 372 373 if (!ad || !ad->name) { 374 ALOGE("No service manager audit data"); 375 return 0; 376 } 377 378 snprintf(buf, len, "service=%s pid=%d uid=%d", ad->name, ad->pid, ad->uid); 379 return 0; 380 } 381 382 int main(int argc, char** argv) 383 { 384 struct binder_state *bs; 385 union selinux_callback cb; 386 char *driver; 387 388 if (argc > 1) { 389 driver = argv[1]; 390 } else { 391 driver = "/dev/binder"; 392 } 393 394 bs = binder_open(driver, 128*1024); 395 if (!bs) { 396 #ifdef VENDORSERVICEMANAGER 397 ALOGW("failed to open binder driver %s\n", driver); 398 while (true) { 399 sleep(UINT_MAX); 400 } 401 #else 402 ALOGE("failed to open binder driver %s\n", driver); 403 #endif 404 return -1; 405 } 406 407 if (binder_become_context_manager(bs)) { 408 ALOGE("cannot become context manager (%s)\n", strerror(errno)); 409 return -1; 410 } 411 412 cb.func_audit = audit_callback; 413 selinux_set_callback(SELINUX_CB_AUDIT, cb); 414 #ifdef VENDORSERVICEMANAGER 415 cb.func_log = selinux_vendor_log_callback; 416 #else 417 cb.func_log = selinux_log_callback; 418 #endif 419 selinux_set_callback(SELINUX_CB_LOG, cb); 420 421 #ifdef VENDORSERVICEMANAGER 422 sehandle = selinux_android_vendor_service_context_handle(); 423 #else 424 sehandle = selinux_android_service_context_handle(); 425 #endif 426 selinux_status_open(true); 427 428 if (sehandle == NULL) { 429 ALOGE("SELinux: Failed to acquire sehandle. Aborting.\n"); 430 abort(); 431 } 432 433 if (getcon(&service_manager_context) != 0) { 434 ALOGE("SELinux: Failed to acquire service_manager context. Aborting.\n"); 435 abort(); 436 } 437 438 439 binder_loop(bs, svcmgr_handler); 440 441 return 0; 442 } 443
