1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "gatekeeperd" 18 19 #include "IGateKeeperService.h" 20 21 #include <errno.h> 22 #include <stdint.h> 23 #include <inttypes.h> 24 #include <fcntl.h> 25 #include <unistd.h> 26 27 #include <cutils/log.h> 28 #include <utils/Log.h> 29 30 #include <binder/IPCThreadState.h> 31 #include <binder/IServiceManager.h> 32 #include <binder/PermissionCache.h> 33 #include <utils/String16.h> 34 #include <utils/Log.h> 35 36 #include <keystore/IKeystoreService.h> 37 #include <keystore/keystore.h> // For error code 38 #include <gatekeeper/password_handle.h> // for password_handle_t 39 #include <hardware/gatekeeper.h> 40 #include <hardware/hw_auth_token.h> 41 42 #include "SoftGateKeeperDevice.h" 43 #include "IUserManager.h" 44 45 namespace android { 46 47 static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE"); 48 static const String16 DUMP_PERMISSION("android.permission.DUMP"); 49 50 class GateKeeperProxy : public BnGateKeeperService { 51 public: 52 GateKeeperProxy() { 53 int ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &module); 54 device = NULL; 55 56 if (ret < 0) { 57 ALOGW("falling back to software GateKeeper"); 58 soft_device.reset(new SoftGateKeeperDevice()); 59 } else { 60 ret = gatekeeper_open(module, &device); 61 if (ret < 0) 62 LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to open GateKeeper HAL"); 63 } 64 65 if (mark_cold_boot()) { 66 ALOGI("cold boot: clearing state"); 67 if (device != NULL && device->delete_all_users != NULL) { 68 device->delete_all_users(device); 69 } 70 } 71 } 72 73 virtual ~GateKeeperProxy() { 74 if (device) gatekeeper_close(device); 75 } 76 77 void store_sid(uint32_t uid, uint64_t sid) { 78 char filename[21]; 79 sprintf(filename, "%u", uid); 80 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 81 if (fd < 0) { 82 ALOGE("could not open file: %s: %s", filename, strerror(errno)); 83 return; 84 } 85 write(fd, &sid, sizeof(sid)); 86 close(fd); 87 } 88 89 bool mark_cold_boot() { 90 const char *filename = ".coldboot"; 91 if (access(filename, F_OK) == -1) { 92 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 93 if (fd < 0) { 94 ALOGE("could not open file: %s : %s", filename, strerror(errno)); 95 return false; 96 } 97 close(fd); 98 return true; 99 } 100 return false; 101 } 102 103 void maybe_store_sid(uint32_t uid, uint64_t sid) { 104 char filename[21]; 105 sprintf(filename, "%u", uid); 106 if (access(filename, F_OK) == -1) { 107 store_sid(uid, sid); 108 } 109 } 110 111 uint64_t read_sid(uint32_t uid) { 112 char filename[21]; 113 uint64_t sid; 114 sprintf(filename, "%u", uid); 115 int fd = open(filename, O_RDONLY); 116 if (fd < 0) return 0; 117 read(fd, &sid, sizeof(sid)); 118 close(fd); 119 return sid; 120 } 121 122 void clear_sid(uint32_t uid) { 123 char filename[21]; 124 sprintf(filename, "%u", uid); 125 if (remove(filename) < 0) { 126 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno)); 127 store_sid(uid, 0); 128 } 129 } 130 131 virtual int enroll(uint32_t uid, 132 const uint8_t *current_password_handle, uint32_t current_password_handle_length, 133 const uint8_t *current_password, uint32_t current_password_length, 134 const uint8_t *desired_password, uint32_t desired_password_length, 135 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) { 136 IPCThreadState* ipc = IPCThreadState::self(); 137 const int calling_pid = ipc->getCallingPid(); 138 const int calling_uid = ipc->getCallingUid(); 139 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 140 return PERMISSION_DENIED; 141 } 142 143 // need a desired password to enroll 144 if (desired_password_length == 0) return -EINVAL; 145 146 int ret; 147 if (device) { 148 const gatekeeper::password_handle_t *handle = 149 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle); 150 151 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) { 152 // handle is being re-enrolled from a software version. HAL probably won't accept 153 // the handle as valid, so we nullify it and enroll from scratch 154 current_password_handle = NULL; 155 current_password_handle_length = 0; 156 current_password = NULL; 157 current_password_length = 0; 158 } 159 160 ret = device->enroll(device, uid, current_password_handle, current_password_handle_length, 161 current_password, current_password_length, 162 desired_password, desired_password_length, 163 enrolled_password_handle, enrolled_password_handle_length); 164 } else { 165 ret = soft_device->enroll(uid, 166 current_password_handle, current_password_handle_length, 167 current_password, current_password_length, 168 desired_password, desired_password_length, 169 enrolled_password_handle, enrolled_password_handle_length); 170 } 171 172 if (ret == 0) { 173 gatekeeper::password_handle_t *handle = 174 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle); 175 store_sid(uid, handle->user_id); 176 bool rr; 177 178 // immediately verify this password so we don't ask the user to enter it again 179 // if they just created it. 180 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password, 181 desired_password_length, &rr); 182 } 183 184 return ret; 185 } 186 187 virtual int verify(uint32_t uid, 188 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 189 const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) { 190 uint8_t *auth_token; 191 uint32_t auth_token_length; 192 return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length, 193 provided_password, provided_password_length, 194 &auth_token, &auth_token_length, request_reenroll); 195 } 196 197 virtual int verifyChallenge(uint32_t uid, uint64_t challenge, 198 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 199 const uint8_t *provided_password, uint32_t provided_password_length, 200 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) { 201 IPCThreadState* ipc = IPCThreadState::self(); 202 const int calling_pid = ipc->getCallingPid(); 203 const int calling_uid = ipc->getCallingUid(); 204 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 205 return PERMISSION_DENIED; 206 } 207 208 // can't verify if we're missing either param 209 if ((enrolled_password_handle_length | provided_password_length) == 0) 210 return -EINVAL; 211 212 int ret; 213 if (device) { 214 const gatekeeper::password_handle_t *handle = 215 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle); 216 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to 217 // a HAL if there was none before 218 if (handle->version == 0 || handle->hardware_backed) { 219 ret = device->verify(device, uid, challenge, 220 enrolled_password_handle, enrolled_password_handle_length, 221 provided_password, provided_password_length, auth_token, auth_token_length, 222 request_reenroll); 223 } else { 224 // upgrade scenario, a HAL has been added to this device where there was none before 225 SoftGateKeeperDevice soft_dev; 226 ret = soft_dev.verify(uid, challenge, 227 enrolled_password_handle, enrolled_password_handle_length, 228 provided_password, provided_password_length, auth_token, auth_token_length, 229 request_reenroll); 230 231 if (ret == 0) { 232 // success! re-enroll with HAL 233 *request_reenroll = true; 234 } 235 } 236 } else { 237 ret = soft_device->verify(uid, challenge, 238 enrolled_password_handle, enrolled_password_handle_length, 239 provided_password, provided_password_length, auth_token, auth_token_length, 240 request_reenroll); 241 } 242 243 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) { 244 // TODO: cache service? 245 sp<IServiceManager> sm = defaultServiceManager(); 246 sp<IBinder> binder = sm->getService(String16("android.security.keystore")); 247 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); 248 if (service != NULL) { 249 status_t ret = service->addAuthToken(*auth_token, *auth_token_length); 250 if (ret != ResponseCode::NO_ERROR) { 251 ALOGE("Falure sending auth token to KeyStore: %d", ret); 252 } 253 } else { 254 ALOGE("Unable to communicate with KeyStore"); 255 } 256 } 257 258 if (ret == 0) { 259 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>( 260 enrolled_password_handle)->user_id); 261 } 262 263 return ret; 264 } 265 266 virtual uint64_t getSecureUserId(uint32_t uid) { 267 uint64_t sid = read_sid(uid); 268 if (sid == 0) { 269 // might be a work profile, look up the parent 270 sp<IServiceManager> sm = defaultServiceManager(); 271 sp<IBinder> binder = sm->getService(String16("user")); 272 sp<IUserManager> um = interface_cast<IUserManager>(binder); 273 int32_t parent = um->getCredentialOwnerProfile(uid); 274 if (parent < 0) { 275 return 0; 276 } else if (parent != (int32_t) uid) { 277 return read_sid(parent); 278 } 279 } 280 return sid; 281 282 } 283 284 virtual void clearSecureUserId(uint32_t uid) { 285 IPCThreadState* ipc = IPCThreadState::self(); 286 const int calling_pid = ipc->getCallingPid(); 287 const int calling_uid = ipc->getCallingUid(); 288 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 289 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid); 290 return; 291 } 292 clear_sid(uid); 293 294 if (device != NULL && device->delete_user != NULL) { 295 device->delete_user(device, uid); 296 } 297 } 298 299 virtual status_t dump(int fd, const Vector<String16> &) { 300 IPCThreadState* ipc = IPCThreadState::self(); 301 const int pid = ipc->getCallingPid(); 302 const int uid = ipc->getCallingUid(); 303 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) { 304 return PERMISSION_DENIED; 305 } 306 307 if (device == NULL) { 308 const char *result = "Device not available"; 309 write(fd, result, strlen(result) + 1); 310 } else { 311 const char *result = "OK"; 312 write(fd, result, strlen(result) + 1); 313 } 314 315 return NO_ERROR; 316 } 317 318 private: 319 gatekeeper_device_t *device; 320 UniquePtr<SoftGateKeeperDevice> soft_device; 321 const hw_module_t *module; 322 }; 323 }// namespace android 324 325 int main(int argc, char* argv[]) { 326 ALOGI("Starting gatekeeperd..."); 327 if (argc < 2) { 328 ALOGE("A directory must be specified!"); 329 return 1; 330 } 331 if (chdir(argv[1]) == -1) { 332 ALOGE("chdir: %s: %s", argv[1], strerror(errno)); 333 return 1; 334 } 335 336 android::sp<android::IServiceManager> sm = android::defaultServiceManager(); 337 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy(); 338 android::status_t ret = sm->addService( 339 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy); 340 if (ret != android::OK) { 341 ALOGE("Couldn't register binder service!"); 342 return -1; 343 } 344 345 /* 346 * We're the only thread in existence, so we're just going to process 347 * Binder transaction as a single-threaded program. 348 */ 349 android::IPCThreadState::self()->joinThreadPool(); 350 return 0; 351 } 352
