Home | History | Annotate | Download | only in policy
      1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "policy/device_policy_impl.h"
      6 
      7 #include <base/files/file_util.h>
      8 #include <base/logging.h>
      9 #include <base/macros.h>
     10 #include <openssl/evp.h>
     11 #include <openssl/x509.h>
     12 
     13 #include <set>
     14 #include <string>
     15 
     16 #include "bindings/chrome_device_policy.pb.h"
     17 #include "bindings/device_management_backend.pb.h"
     18 
     19 namespace policy {
     20 
     21 namespace {
     22 const char kPolicyPath[] = "/var/lib/whitelist/policy";
     23 const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key";
     24 
     25 // Reads the public key used to sign the policy from |key_file| and stores it
     26 // in |public_key|. Returns true on success.
     27 bool ReadPublicKeyFromFile(const base::FilePath& key_file,
     28                            std::string* public_key) {
     29   if (!base::PathExists(key_file))
     30     return false;
     31   public_key->clear();
     32   if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) {
     33     LOG(ERROR) << "Could not read public key off disk";
     34     return false;
     35   }
     36   return true;
     37 }
     38 
     39 // Verifies that the |signed_data| has correct |signature| with |public_key|.
     40 bool VerifySignature(const std::string& signed_data,
     41                      const std::string& signature,
     42                      const std::string& public_key) {
     43   EVP_MD_CTX ctx;
     44   EVP_MD_CTX_init(&ctx);
     45 
     46   const EVP_MD* digest = EVP_sha1();
     47 
     48   char* key = const_cast<char*>(public_key.data());
     49   BIO* bio = BIO_new_mem_buf(key, public_key.length());
     50   if (!bio) {
     51     EVP_MD_CTX_cleanup(&ctx);
     52     return false;
     53   }
     54 
     55   EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr);
     56   if (!public_key_ssl) {
     57     BIO_free_all(bio);
     58     EVP_MD_CTX_cleanup(&ctx);
     59     return false;
     60   }
     61 
     62   const unsigned char* sig =
     63       reinterpret_cast<const unsigned char*>(signature.data());
     64   int rv = EVP_VerifyInit_ex(&ctx, digest, nullptr);
     65   if (rv == 1) {
     66     EVP_VerifyUpdate(&ctx, signed_data.data(), signed_data.length());
     67     rv = EVP_VerifyFinal(&ctx,
     68                          sig, signature.length(),
     69                          public_key_ssl);
     70   }
     71 
     72   EVP_PKEY_free(public_key_ssl);
     73   BIO_free_all(bio);
     74   EVP_MD_CTX_cleanup(&ctx);
     75 
     76   return rv == 1;
     77 }
     78 
     79 // Decodes the connection type enum from the device settings protobuf to string
     80 // representations. The strings must match the connection manager definitions.
     81 std::string DecodeConnectionType(int type) {
     82   static const char* const kConnectionTypes[] = {
     83     "ethernet",
     84     "wifi",
     85     "wimax",
     86     "bluetooth",
     87     "cellular",
     88   };
     89 
     90   if (type < 0 || type >= static_cast<int>(arraysize(kConnectionTypes)))
     91     return std::string();
     92 
     93   return kConnectionTypes[type];
     94 }
     95 
     96 }  // namespace
     97 
     98 DevicePolicyImpl::DevicePolicyImpl()
     99     : policy_path_(kPolicyPath),
    100       keyfile_path_(kPublicKeyPath) {
    101 }
    102 
    103 DevicePolicyImpl::~DevicePolicyImpl() {
    104 }
    105 
    106 bool DevicePolicyImpl::LoadPolicy() {
    107   if (!VerifyPolicyFiles()) {
    108     return false;
    109   }
    110 
    111   std::string polstr;
    112   if (!base::ReadFileToString(policy_path_, &polstr) || polstr.empty()) {
    113     LOG(ERROR) << "Could not read policy off disk";
    114     return false;
    115   }
    116   if (!policy_.ParseFromString(polstr) || !policy_.has_policy_data()) {
    117     LOG(ERROR) << "Policy on disk could not be parsed!";
    118     return false;
    119   }
    120   policy_data_.ParseFromString(policy_.policy_data());
    121   if (!policy_data_.has_policy_value()) {
    122     LOG(ERROR) << "Policy on disk could not be parsed!";
    123     return false;
    124   }
    125 
    126   // Make sure the signature is still valid.
    127   if (!VerifyPolicySignature()) {
    128     LOG(ERROR) << "Policy signature verification failed!";
    129     return false;
    130   }
    131 
    132   device_policy_.ParseFromString(policy_data_.policy_value());
    133   return true;
    134 }
    135 
    136 bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const {
    137   if (!device_policy_.has_device_policy_refresh_rate())
    138     return false;
    139   *rate = static_cast<int>(
    140       device_policy_.device_policy_refresh_rate().device_policy_refresh_rate());
    141   return true;
    142 }
    143 
    144 bool DevicePolicyImpl::GetUserWhitelist(
    145     std::vector<std::string>* user_whitelist) const {
    146   if (!device_policy_.has_user_whitelist())
    147     return false;
    148   const enterprise_management::UserWhitelistProto& proto =
    149       device_policy_.user_whitelist();
    150   user_whitelist->clear();
    151   for (int i = 0; i < proto.user_whitelist_size(); i++)
    152     user_whitelist->push_back(proto.user_whitelist(i));
    153   return true;
    154 }
    155 
    156 bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const {
    157   if (!device_policy_.has_guest_mode_enabled())
    158     return false;
    159   *guest_mode_enabled =
    160       device_policy_.guest_mode_enabled().guest_mode_enabled();
    161   return true;
    162 }
    163 
    164 bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const {
    165   if (!device_policy_.has_camera_enabled())
    166     return false;
    167   *camera_enabled = device_policy_.camera_enabled().camera_enabled();
    168   return true;
    169 }
    170 
    171 bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const {
    172   if (!device_policy_.has_show_user_names())
    173     return false;
    174   *show_user_names = device_policy_.show_user_names().show_user_names();
    175   return true;
    176 }
    177 
    178 bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const {
    179   if (!device_policy_.has_data_roaming_enabled())
    180     return false;
    181   *data_roaming_enabled =
    182       device_policy_.data_roaming_enabled().data_roaming_enabled();
    183   return true;
    184 }
    185 
    186 bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const {
    187   if (!device_policy_.has_allow_new_users())
    188     return false;
    189   *allow_new_users = device_policy_.allow_new_users().allow_new_users();
    190   return true;
    191 }
    192 
    193 bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const {
    194   if (!device_policy_.has_metrics_enabled())
    195     return false;
    196   *metrics_enabled = device_policy_.metrics_enabled().metrics_enabled();
    197   return true;
    198 }
    199 
    200 bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const {
    201   if (!device_policy_.has_device_reporting())
    202     return false;
    203 
    204   const enterprise_management::DeviceReportingProto& proto =
    205       device_policy_.device_reporting();
    206   if (!proto.has_report_version_info())
    207     return false;
    208 
    209   *report_version_info = proto.report_version_info();
    210   return true;
    211 }
    212 
    213 bool DevicePolicyImpl::GetReportActivityTimes(
    214     bool* report_activity_times) const {
    215   if (!device_policy_.has_device_reporting())
    216     return false;
    217 
    218   const enterprise_management::DeviceReportingProto& proto =
    219       device_policy_.device_reporting();
    220   if (!proto.has_report_activity_times())
    221     return false;
    222 
    223   *report_activity_times = proto.report_activity_times();
    224   return true;
    225 }
    226 
    227 bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const {
    228   if (!device_policy_.has_device_reporting())
    229     return false;
    230 
    231   const enterprise_management::DeviceReportingProto& proto =
    232       device_policy_.device_reporting();
    233   if (!proto.has_report_boot_mode())
    234     return false;
    235 
    236   *report_boot_mode = proto.report_boot_mode();
    237   return true;
    238 }
    239 
    240 bool DevicePolicyImpl::GetEphemeralUsersEnabled(
    241     bool* ephemeral_users_enabled) const {
    242   if (!device_policy_.has_ephemeral_users_enabled())
    243     return false;
    244   *ephemeral_users_enabled =
    245       device_policy_.ephemeral_users_enabled().ephemeral_users_enabled();
    246   return true;
    247 }
    248 
    249 bool DevicePolicyImpl::GetReleaseChannel(
    250     std::string* release_channel) const {
    251   if (!device_policy_.has_release_channel())
    252     return false;
    253 
    254   const enterprise_management::ReleaseChannelProto& proto =
    255       device_policy_.release_channel();
    256   if (!proto.has_release_channel())
    257     return false;
    258 
    259   *release_channel = proto.release_channel();
    260   return true;
    261 }
    262 
    263 bool DevicePolicyImpl::GetReleaseChannelDelegated(
    264     bool* release_channel_delegated) const {
    265   if (!device_policy_.has_release_channel())
    266     return false;
    267 
    268   const enterprise_management::ReleaseChannelProto& proto =
    269       device_policy_.release_channel();
    270   if (!proto.has_release_channel_delegated())
    271     return false;
    272 
    273   *release_channel_delegated = proto.release_channel_delegated();
    274   return true;
    275 }
    276 
    277 bool DevicePolicyImpl::GetUpdateDisabled(
    278     bool* update_disabled) const {
    279   if (!device_policy_.has_auto_update_settings())
    280     return false;
    281 
    282   const enterprise_management::AutoUpdateSettingsProto& proto =
    283       device_policy_.auto_update_settings();
    284   if (!proto.has_update_disabled())
    285     return false;
    286 
    287   *update_disabled = proto.update_disabled();
    288   return true;
    289 }
    290 
    291 bool DevicePolicyImpl::GetTargetVersionPrefix(
    292     std::string* target_version_prefix) const {
    293   if (!device_policy_.has_auto_update_settings())
    294     return false;
    295 
    296   const enterprise_management::AutoUpdateSettingsProto& proto =
    297       device_policy_.auto_update_settings();
    298   if (!proto.has_target_version_prefix())
    299     return false;
    300 
    301   *target_version_prefix = proto.target_version_prefix();
    302   return true;
    303 }
    304 
    305 bool DevicePolicyImpl::GetScatterFactorInSeconds(
    306     int64_t* scatter_factor_in_seconds) const {
    307   if (!device_policy_.has_auto_update_settings())
    308     return false;
    309 
    310   const enterprise_management::AutoUpdateSettingsProto& proto =
    311       device_policy_.auto_update_settings();
    312   if (!proto.has_scatter_factor_in_seconds())
    313     return false;
    314 
    315   *scatter_factor_in_seconds = proto.scatter_factor_in_seconds();
    316   return true;
    317 }
    318 
    319 bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate(
    320       std::set<std::string>* connection_types) const {
    321   if (!device_policy_.has_auto_update_settings())
    322     return false;
    323 
    324   const enterprise_management::AutoUpdateSettingsProto& proto =
    325       device_policy_.auto_update_settings();
    326   if (proto.allowed_connection_types_size() <= 0)
    327     return false;
    328 
    329   for (int i = 0; i < proto.allowed_connection_types_size(); i++) {
    330     std::string type = DecodeConnectionType(proto.allowed_connection_types(i));
    331     if (!type.empty())
    332       connection_types->insert(type);
    333   }
    334   return true;
    335 }
    336 
    337 bool DevicePolicyImpl::GetOpenNetworkConfiguration(
    338     std::string* open_network_configuration) const {
    339   if (!device_policy_.has_open_network_configuration())
    340     return false;
    341 
    342   const enterprise_management::DeviceOpenNetworkConfigurationProto& proto =
    343       device_policy_.open_network_configuration();
    344   if (!proto.has_open_network_configuration())
    345     return false;
    346 
    347   *open_network_configuration = proto.open_network_configuration();
    348   return true;
    349 }
    350 
    351 bool DevicePolicyImpl::GetOwner(std::string* owner) const {
    352   // The device is enterprise enrolled iff a request token exists.
    353   if (policy_data_.has_request_token()) {
    354     *owner = "";
    355     return true;
    356   }
    357   if (!policy_data_.has_username())
    358     return false;
    359   *owner = policy_data_.username();
    360   return true;
    361 }
    362 
    363 bool DevicePolicyImpl::GetHttpDownloadsEnabled(
    364     bool* http_downloads_enabled) const {
    365   if (!device_policy_.has_auto_update_settings())
    366     return false;
    367 
    368   const enterprise_management::AutoUpdateSettingsProto& proto =
    369       device_policy_.auto_update_settings();
    370 
    371   if (!proto.has_http_downloads_enabled())
    372     return false;
    373 
    374   *http_downloads_enabled = proto.http_downloads_enabled();
    375   return true;
    376 }
    377 
    378 bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const {
    379   if (!device_policy_.has_auto_update_settings())
    380     return false;
    381 
    382   const enterprise_management::AutoUpdateSettingsProto& proto =
    383       device_policy_.auto_update_settings();
    384 
    385   if (!proto.has_p2p_enabled())
    386     return false;
    387 
    388   *au_p2p_enabled = proto.p2p_enabled();
    389   return true;
    390 }
    391 
    392 bool DevicePolicyImpl::VerifyPolicyFiles() {
    393   // Both the policy and its signature have to exist.
    394   if (!base::PathExists(policy_path_) || !base::PathExists(keyfile_path_)) {
    395     return false;
    396   }
    397 
    398   // Check if the policy and signature file is owned by root.
    399   struct stat file_stat;
    400   stat(policy_path_.value().c_str(), &file_stat);
    401   if (file_stat.st_uid != 0) {
    402     LOG(ERROR) << "Policy file is not owned by root!";
    403     return false;
    404   }
    405   stat(keyfile_path_.value().c_str(), &file_stat);
    406   if (file_stat.st_uid != 0) {
    407     LOG(ERROR) << "Policy signature file is not owned by root!";
    408     return false;
    409   }
    410   return true;
    411 }
    412 
    413 bool DevicePolicyImpl::VerifyPolicySignature() {
    414   if (policy_.has_policy_data_signature()) {
    415     std::string policy_data = policy_.policy_data();
    416     std::string policy_data_signature = policy_.policy_data_signature();
    417     std::string public_key;
    418     if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) {
    419       LOG(ERROR) << "Could not read owner key off disk";
    420       return false;
    421     }
    422     if (!VerifySignature(policy_data, policy_data_signature, public_key)) {
    423       LOG(ERROR) << "Signature does not match the data or can not be verified!";
    424       return false;
    425     }
    426     return true;
    427   }
    428   LOG(ERROR) << "The policy blob is not signed!";
    429   return false;
    430 }
    431 
    432 }  // namespace policy
    433