1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "policy/device_policy_impl.h" 6 7 #include <base/files/file_util.h> 8 #include <base/logging.h> 9 #include <base/macros.h> 10 #include <openssl/evp.h> 11 #include <openssl/x509.h> 12 13 #include <set> 14 #include <string> 15 16 #include "bindings/chrome_device_policy.pb.h" 17 #include "bindings/device_management_backend.pb.h" 18 19 namespace policy { 20 21 namespace { 22 const char kPolicyPath[] = "/var/lib/whitelist/policy"; 23 const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key"; 24 25 // Reads the public key used to sign the policy from |key_file| and stores it 26 // in |public_key|. Returns true on success. 27 bool ReadPublicKeyFromFile(const base::FilePath& key_file, 28 std::string* public_key) { 29 if (!base::PathExists(key_file)) 30 return false; 31 public_key->clear(); 32 if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) { 33 LOG(ERROR) << "Could not read public key off disk"; 34 return false; 35 } 36 return true; 37 } 38 39 // Verifies that the |signed_data| has correct |signature| with |public_key|. 40 bool VerifySignature(const std::string& signed_data, 41 const std::string& signature, 42 const std::string& public_key) { 43 EVP_MD_CTX ctx; 44 EVP_MD_CTX_init(&ctx); 45 46 const EVP_MD* digest = EVP_sha1(); 47 48 char* key = const_cast<char*>(public_key.data()); 49 BIO* bio = BIO_new_mem_buf(key, public_key.length()); 50 if (!bio) { 51 EVP_MD_CTX_cleanup(&ctx); 52 return false; 53 } 54 55 EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr); 56 if (!public_key_ssl) { 57 BIO_free_all(bio); 58 EVP_MD_CTX_cleanup(&ctx); 59 return false; 60 } 61 62 const unsigned char* sig = 63 reinterpret_cast<const unsigned char*>(signature.data()); 64 int rv = EVP_VerifyInit_ex(&ctx, digest, nullptr); 65 if (rv == 1) { 66 EVP_VerifyUpdate(&ctx, signed_data.data(), signed_data.length()); 67 rv = EVP_VerifyFinal(&ctx, 68 sig, signature.length(), 69 public_key_ssl); 70 } 71 72 EVP_PKEY_free(public_key_ssl); 73 BIO_free_all(bio); 74 EVP_MD_CTX_cleanup(&ctx); 75 76 return rv == 1; 77 } 78 79 // Decodes the connection type enum from the device settings protobuf to string 80 // representations. The strings must match the connection manager definitions. 81 std::string DecodeConnectionType(int type) { 82 static const char* const kConnectionTypes[] = { 83 "ethernet", 84 "wifi", 85 "wimax", 86 "bluetooth", 87 "cellular", 88 }; 89 90 if (type < 0 || type >= static_cast<int>(arraysize(kConnectionTypes))) 91 return std::string(); 92 93 return kConnectionTypes[type]; 94 } 95 96 } // namespace 97 98 DevicePolicyImpl::DevicePolicyImpl() 99 : policy_path_(kPolicyPath), 100 keyfile_path_(kPublicKeyPath) { 101 } 102 103 DevicePolicyImpl::~DevicePolicyImpl() { 104 } 105 106 bool DevicePolicyImpl::LoadPolicy() { 107 if (!VerifyPolicyFiles()) { 108 return false; 109 } 110 111 std::string polstr; 112 if (!base::ReadFileToString(policy_path_, &polstr) || polstr.empty()) { 113 LOG(ERROR) << "Could not read policy off disk"; 114 return false; 115 } 116 if (!policy_.ParseFromString(polstr) || !policy_.has_policy_data()) { 117 LOG(ERROR) << "Policy on disk could not be parsed!"; 118 return false; 119 } 120 policy_data_.ParseFromString(policy_.policy_data()); 121 if (!policy_data_.has_policy_value()) { 122 LOG(ERROR) << "Policy on disk could not be parsed!"; 123 return false; 124 } 125 126 // Make sure the signature is still valid. 127 if (!VerifyPolicySignature()) { 128 LOG(ERROR) << "Policy signature verification failed!"; 129 return false; 130 } 131 132 device_policy_.ParseFromString(policy_data_.policy_value()); 133 return true; 134 } 135 136 bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const { 137 if (!device_policy_.has_device_policy_refresh_rate()) 138 return false; 139 *rate = static_cast<int>( 140 device_policy_.device_policy_refresh_rate().device_policy_refresh_rate()); 141 return true; 142 } 143 144 bool DevicePolicyImpl::GetUserWhitelist( 145 std::vector<std::string>* user_whitelist) const { 146 if (!device_policy_.has_user_whitelist()) 147 return false; 148 const enterprise_management::UserWhitelistProto& proto = 149 device_policy_.user_whitelist(); 150 user_whitelist->clear(); 151 for (int i = 0; i < proto.user_whitelist_size(); i++) 152 user_whitelist->push_back(proto.user_whitelist(i)); 153 return true; 154 } 155 156 bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const { 157 if (!device_policy_.has_guest_mode_enabled()) 158 return false; 159 *guest_mode_enabled = 160 device_policy_.guest_mode_enabled().guest_mode_enabled(); 161 return true; 162 } 163 164 bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const { 165 if (!device_policy_.has_camera_enabled()) 166 return false; 167 *camera_enabled = device_policy_.camera_enabled().camera_enabled(); 168 return true; 169 } 170 171 bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const { 172 if (!device_policy_.has_show_user_names()) 173 return false; 174 *show_user_names = device_policy_.show_user_names().show_user_names(); 175 return true; 176 } 177 178 bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const { 179 if (!device_policy_.has_data_roaming_enabled()) 180 return false; 181 *data_roaming_enabled = 182 device_policy_.data_roaming_enabled().data_roaming_enabled(); 183 return true; 184 } 185 186 bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const { 187 if (!device_policy_.has_allow_new_users()) 188 return false; 189 *allow_new_users = device_policy_.allow_new_users().allow_new_users(); 190 return true; 191 } 192 193 bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const { 194 if (!device_policy_.has_metrics_enabled()) 195 return false; 196 *metrics_enabled = device_policy_.metrics_enabled().metrics_enabled(); 197 return true; 198 } 199 200 bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const { 201 if (!device_policy_.has_device_reporting()) 202 return false; 203 204 const enterprise_management::DeviceReportingProto& proto = 205 device_policy_.device_reporting(); 206 if (!proto.has_report_version_info()) 207 return false; 208 209 *report_version_info = proto.report_version_info(); 210 return true; 211 } 212 213 bool DevicePolicyImpl::GetReportActivityTimes( 214 bool* report_activity_times) const { 215 if (!device_policy_.has_device_reporting()) 216 return false; 217 218 const enterprise_management::DeviceReportingProto& proto = 219 device_policy_.device_reporting(); 220 if (!proto.has_report_activity_times()) 221 return false; 222 223 *report_activity_times = proto.report_activity_times(); 224 return true; 225 } 226 227 bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const { 228 if (!device_policy_.has_device_reporting()) 229 return false; 230 231 const enterprise_management::DeviceReportingProto& proto = 232 device_policy_.device_reporting(); 233 if (!proto.has_report_boot_mode()) 234 return false; 235 236 *report_boot_mode = proto.report_boot_mode(); 237 return true; 238 } 239 240 bool DevicePolicyImpl::GetEphemeralUsersEnabled( 241 bool* ephemeral_users_enabled) const { 242 if (!device_policy_.has_ephemeral_users_enabled()) 243 return false; 244 *ephemeral_users_enabled = 245 device_policy_.ephemeral_users_enabled().ephemeral_users_enabled(); 246 return true; 247 } 248 249 bool DevicePolicyImpl::GetReleaseChannel( 250 std::string* release_channel) const { 251 if (!device_policy_.has_release_channel()) 252 return false; 253 254 const enterprise_management::ReleaseChannelProto& proto = 255 device_policy_.release_channel(); 256 if (!proto.has_release_channel()) 257 return false; 258 259 *release_channel = proto.release_channel(); 260 return true; 261 } 262 263 bool DevicePolicyImpl::GetReleaseChannelDelegated( 264 bool* release_channel_delegated) const { 265 if (!device_policy_.has_release_channel()) 266 return false; 267 268 const enterprise_management::ReleaseChannelProto& proto = 269 device_policy_.release_channel(); 270 if (!proto.has_release_channel_delegated()) 271 return false; 272 273 *release_channel_delegated = proto.release_channel_delegated(); 274 return true; 275 } 276 277 bool DevicePolicyImpl::GetUpdateDisabled( 278 bool* update_disabled) const { 279 if (!device_policy_.has_auto_update_settings()) 280 return false; 281 282 const enterprise_management::AutoUpdateSettingsProto& proto = 283 device_policy_.auto_update_settings(); 284 if (!proto.has_update_disabled()) 285 return false; 286 287 *update_disabled = proto.update_disabled(); 288 return true; 289 } 290 291 bool DevicePolicyImpl::GetTargetVersionPrefix( 292 std::string* target_version_prefix) const { 293 if (!device_policy_.has_auto_update_settings()) 294 return false; 295 296 const enterprise_management::AutoUpdateSettingsProto& proto = 297 device_policy_.auto_update_settings(); 298 if (!proto.has_target_version_prefix()) 299 return false; 300 301 *target_version_prefix = proto.target_version_prefix(); 302 return true; 303 } 304 305 bool DevicePolicyImpl::GetScatterFactorInSeconds( 306 int64_t* scatter_factor_in_seconds) const { 307 if (!device_policy_.has_auto_update_settings()) 308 return false; 309 310 const enterprise_management::AutoUpdateSettingsProto& proto = 311 device_policy_.auto_update_settings(); 312 if (!proto.has_scatter_factor_in_seconds()) 313 return false; 314 315 *scatter_factor_in_seconds = proto.scatter_factor_in_seconds(); 316 return true; 317 } 318 319 bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate( 320 std::set<std::string>* connection_types) const { 321 if (!device_policy_.has_auto_update_settings()) 322 return false; 323 324 const enterprise_management::AutoUpdateSettingsProto& proto = 325 device_policy_.auto_update_settings(); 326 if (proto.allowed_connection_types_size() <= 0) 327 return false; 328 329 for (int i = 0; i < proto.allowed_connection_types_size(); i++) { 330 std::string type = DecodeConnectionType(proto.allowed_connection_types(i)); 331 if (!type.empty()) 332 connection_types->insert(type); 333 } 334 return true; 335 } 336 337 bool DevicePolicyImpl::GetOpenNetworkConfiguration( 338 std::string* open_network_configuration) const { 339 if (!device_policy_.has_open_network_configuration()) 340 return false; 341 342 const enterprise_management::DeviceOpenNetworkConfigurationProto& proto = 343 device_policy_.open_network_configuration(); 344 if (!proto.has_open_network_configuration()) 345 return false; 346 347 *open_network_configuration = proto.open_network_configuration(); 348 return true; 349 } 350 351 bool DevicePolicyImpl::GetOwner(std::string* owner) const { 352 // The device is enterprise enrolled iff a request token exists. 353 if (policy_data_.has_request_token()) { 354 *owner = ""; 355 return true; 356 } 357 if (!policy_data_.has_username()) 358 return false; 359 *owner = policy_data_.username(); 360 return true; 361 } 362 363 bool DevicePolicyImpl::GetHttpDownloadsEnabled( 364 bool* http_downloads_enabled) const { 365 if (!device_policy_.has_auto_update_settings()) 366 return false; 367 368 const enterprise_management::AutoUpdateSettingsProto& proto = 369 device_policy_.auto_update_settings(); 370 371 if (!proto.has_http_downloads_enabled()) 372 return false; 373 374 *http_downloads_enabled = proto.http_downloads_enabled(); 375 return true; 376 } 377 378 bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const { 379 if (!device_policy_.has_auto_update_settings()) 380 return false; 381 382 const enterprise_management::AutoUpdateSettingsProto& proto = 383 device_policy_.auto_update_settings(); 384 385 if (!proto.has_p2p_enabled()) 386 return false; 387 388 *au_p2p_enabled = proto.p2p_enabled(); 389 return true; 390 } 391 392 bool DevicePolicyImpl::GetAllowKioskAppControlChromeVersion( 393 bool* allow_kiosk_app_control_chrome_version) const { 394 if (!device_policy_.has_allow_kiosk_app_control_chrome_version()) 395 return false; 396 397 const enterprise_management::AllowKioskAppControlChromeVersionProto& proto = 398 device_policy_.allow_kiosk_app_control_chrome_version(); 399 400 if (!proto.has_allow_kiosk_app_control_chrome_version()) 401 return false; 402 403 *allow_kiosk_app_control_chrome_version = 404 proto.allow_kiosk_app_control_chrome_version(); 405 return true; 406 } 407 408 bool DevicePolicyImpl::GetUsbDetachableWhitelist( 409 std::vector<UsbDeviceId>* usb_whitelist) const { 410 if (!device_policy_.has_usb_detachable_whitelist()) 411 return false; 412 const enterprise_management::UsbDetachableWhitelistProto& proto = 413 device_policy_.usb_detachable_whitelist(); 414 usb_whitelist->clear(); 415 for (int i = 0; i < proto.id_size(); i++) { 416 const ::enterprise_management::UsbDeviceIdProto& id = proto.id(i); 417 UsbDeviceId dev_id; 418 dev_id.vendor_id = id.has_vendor_id() ? id.vendor_id() : 0; 419 dev_id.product_id = id.has_product_id() ? id.product_id() : 0; 420 usb_whitelist->push_back(dev_id); 421 } 422 return true; 423 } 424 425 bool DevicePolicyImpl::VerifyPolicyFiles() { 426 // Both the policy and its signature have to exist. 427 if (!base::PathExists(policy_path_) || !base::PathExists(keyfile_path_)) { 428 return false; 429 } 430 431 // Check if the policy and signature file is owned by root. 432 struct stat file_stat; 433 stat(policy_path_.value().c_str(), &file_stat); 434 if (file_stat.st_uid != 0) { 435 LOG(ERROR) << "Policy file is not owned by root!"; 436 return false; 437 } 438 stat(keyfile_path_.value().c_str(), &file_stat); 439 if (file_stat.st_uid != 0) { 440 LOG(ERROR) << "Policy signature file is not owned by root!"; 441 return false; 442 } 443 return true; 444 } 445 446 bool DevicePolicyImpl::VerifyPolicySignature() { 447 if (policy_.has_policy_data_signature()) { 448 std::string policy_data = policy_.policy_data(); 449 std::string policy_data_signature = policy_.policy_data_signature(); 450 std::string public_key; 451 if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) { 452 LOG(ERROR) << "Could not read owner key off disk"; 453 return false; 454 } 455 if (!VerifySignature(policy_data, policy_data_signature, public_key)) { 456 LOG(ERROR) << "Signature does not match the data or can not be verified!"; 457 return false; 458 } 459 return true; 460 } 461 LOG(ERROR) << "The policy blob is not signed!"; 462 return false; 463 } 464 465 } // namespace policy 466
