1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "policy/device_policy_impl.h" 6 7 #include <memory> 8 9 #include <base/containers/adapters.h> 10 #include <base/files/file_util.h> 11 #include <base/logging.h> 12 #include <base/macros.h> 13 #include <base/memory/ptr_util.h> 14 #include <openssl/evp.h> 15 #include <openssl/x509.h> 16 17 #include <set> 18 #include <string> 19 20 #include "bindings/chrome_device_policy.pb.h" 21 #include "bindings/device_management_backend.pb.h" 22 #include "policy/policy_util.h" 23 #include "policy/resilient_policy_util.h" 24 25 namespace policy { 26 27 namespace { 28 const char kPolicyPath[] = "/var/lib/whitelist/policy"; 29 const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key"; 30 31 // Reads the public key used to sign the policy from |key_file| and stores it 32 // in |public_key|. Returns true on success. 33 bool ReadPublicKeyFromFile(const base::FilePath& key_file, 34 std::string* public_key) { 35 if (!base::PathExists(key_file)) 36 return false; 37 public_key->clear(); 38 if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) { 39 LOG(ERROR) << "Could not read public key off disk"; 40 return false; 41 } 42 return true; 43 } 44 45 // Verifies that the |signed_data| has correct |signature| with |public_key|. 46 bool VerifySignature(const std::string& signed_data, 47 const std::string& signature, 48 const std::string& public_key) { 49 EVP_MD_CTX ctx; 50 EVP_MD_CTX_init(&ctx); 51 52 const EVP_MD* digest = EVP_sha1(); 53 54 char* key = const_cast<char*>(public_key.data()); 55 BIO* bio = BIO_new_mem_buf(key, public_key.length()); 56 if (!bio) { 57 EVP_MD_CTX_cleanup(&ctx); 58 return false; 59 } 60 61 EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr); 62 if (!public_key_ssl) { 63 BIO_free_all(bio); 64 EVP_MD_CTX_cleanup(&ctx); 65 return false; 66 } 67 68 const unsigned char* sig = 69 reinterpret_cast<const unsigned char*>(signature.data()); 70 int rv = EVP_VerifyInit_ex(&ctx, digest, nullptr); 71 if (rv == 1) { 72 EVP_VerifyUpdate(&ctx, signed_data.data(), signed_data.length()); 73 rv = EVP_VerifyFinal(&ctx, sig, signature.length(), public_key_ssl); 74 } 75 76 EVP_PKEY_free(public_key_ssl); 77 BIO_free_all(bio); 78 EVP_MD_CTX_cleanup(&ctx); 79 80 return rv == 1; 81 } 82 83 // Decodes the connection type enum from the device settings protobuf to string 84 // representations. The strings must match the connection manager definitions. 85 std::string DecodeConnectionType(int type) { 86 static const char* const kConnectionTypes[] = { 87 "ethernet", "wifi", "wimax", "bluetooth", "cellular", 88 }; 89 90 if (type < 0 || type >= static_cast<int>(arraysize(kConnectionTypes))) 91 return std::string(); 92 93 return kConnectionTypes[type]; 94 } 95 96 } // namespace 97 98 DevicePolicyImpl::DevicePolicyImpl() 99 : policy_path_(kPolicyPath), 100 keyfile_path_(kPublicKeyPath), 101 verify_root_ownership_(true) {} 102 103 DevicePolicyImpl::~DevicePolicyImpl() {} 104 105 bool DevicePolicyImpl::LoadPolicy() { 106 std::map<int, base::FilePath> sorted_policy_file_paths = 107 policy::GetSortedResilientPolicyFilePaths(policy_path_); 108 if (sorted_policy_file_paths.empty()) 109 return false; 110 111 // Try to load the existent policy files one by one in reverse order of their 112 // index until we succeed. The default policy, if present, appears as index 0 113 // in the map and is loaded the last. This is intentional as that file is the 114 // oldest. 115 bool policy_loaded = false; 116 for (const auto& map_pair : base::Reversed(sorted_policy_file_paths)) { 117 const base::FilePath& policy_path = map_pair.second; 118 if (LoadPolicyFromFile(policy_path)) { 119 policy_loaded = true; 120 break; 121 } 122 } 123 124 return policy_loaded; 125 } 126 127 bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const { 128 if (!device_policy_.has_device_policy_refresh_rate()) 129 return false; 130 *rate = static_cast<int>( 131 device_policy_.device_policy_refresh_rate().device_policy_refresh_rate()); 132 return true; 133 } 134 135 bool DevicePolicyImpl::GetUserWhitelist( 136 std::vector<std::string>* user_whitelist) const { 137 if (!device_policy_.has_user_whitelist()) 138 return false; 139 const enterprise_management::UserWhitelistProto& proto = 140 device_policy_.user_whitelist(); 141 user_whitelist->clear(); 142 for (int i = 0; i < proto.user_whitelist_size(); i++) 143 user_whitelist->push_back(proto.user_whitelist(i)); 144 return true; 145 } 146 147 bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const { 148 if (!device_policy_.has_guest_mode_enabled()) 149 return false; 150 *guest_mode_enabled = 151 device_policy_.guest_mode_enabled().guest_mode_enabled(); 152 return true; 153 } 154 155 bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const { 156 if (!device_policy_.has_camera_enabled()) 157 return false; 158 *camera_enabled = device_policy_.camera_enabled().camera_enabled(); 159 return true; 160 } 161 162 bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const { 163 if (!device_policy_.has_show_user_names()) 164 return false; 165 *show_user_names = device_policy_.show_user_names().show_user_names(); 166 return true; 167 } 168 169 bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const { 170 if (!device_policy_.has_data_roaming_enabled()) 171 return false; 172 *data_roaming_enabled = 173 device_policy_.data_roaming_enabled().data_roaming_enabled(); 174 return true; 175 } 176 177 bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const { 178 if (!device_policy_.has_allow_new_users()) 179 return false; 180 *allow_new_users = device_policy_.allow_new_users().allow_new_users(); 181 return true; 182 } 183 184 bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const { 185 if (!device_policy_.has_metrics_enabled()) 186 return false; 187 *metrics_enabled = device_policy_.metrics_enabled().metrics_enabled(); 188 return true; 189 } 190 191 bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const { 192 if (!device_policy_.has_device_reporting()) 193 return false; 194 195 const enterprise_management::DeviceReportingProto& proto = 196 device_policy_.device_reporting(); 197 if (!proto.has_report_version_info()) 198 return false; 199 200 *report_version_info = proto.report_version_info(); 201 return true; 202 } 203 204 bool DevicePolicyImpl::GetReportActivityTimes( 205 bool* report_activity_times) const { 206 if (!device_policy_.has_device_reporting()) 207 return false; 208 209 const enterprise_management::DeviceReportingProto& proto = 210 device_policy_.device_reporting(); 211 if (!proto.has_report_activity_times()) 212 return false; 213 214 *report_activity_times = proto.report_activity_times(); 215 return true; 216 } 217 218 bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const { 219 if (!device_policy_.has_device_reporting()) 220 return false; 221 222 const enterprise_management::DeviceReportingProto& proto = 223 device_policy_.device_reporting(); 224 if (!proto.has_report_boot_mode()) 225 return false; 226 227 *report_boot_mode = proto.report_boot_mode(); 228 return true; 229 } 230 231 bool DevicePolicyImpl::GetEphemeralUsersEnabled( 232 bool* ephemeral_users_enabled) const { 233 if (!device_policy_.has_ephemeral_users_enabled()) 234 return false; 235 *ephemeral_users_enabled = 236 device_policy_.ephemeral_users_enabled().ephemeral_users_enabled(); 237 return true; 238 } 239 240 bool DevicePolicyImpl::GetReleaseChannel(std::string* release_channel) const { 241 if (!device_policy_.has_release_channel()) 242 return false; 243 244 const enterprise_management::ReleaseChannelProto& proto = 245 device_policy_.release_channel(); 246 if (!proto.has_release_channel()) 247 return false; 248 249 *release_channel = proto.release_channel(); 250 return true; 251 } 252 253 bool DevicePolicyImpl::GetReleaseChannelDelegated( 254 bool* release_channel_delegated) const { 255 if (!device_policy_.has_release_channel()) 256 return false; 257 258 const enterprise_management::ReleaseChannelProto& proto = 259 device_policy_.release_channel(); 260 if (!proto.has_release_channel_delegated()) 261 return false; 262 263 *release_channel_delegated = proto.release_channel_delegated(); 264 return true; 265 } 266 267 bool DevicePolicyImpl::GetUpdateDisabled(bool* update_disabled) const { 268 if (!device_policy_.has_auto_update_settings()) 269 return false; 270 271 const enterprise_management::AutoUpdateSettingsProto& proto = 272 device_policy_.auto_update_settings(); 273 if (!proto.has_update_disabled()) 274 return false; 275 276 *update_disabled = proto.update_disabled(); 277 return true; 278 } 279 280 bool DevicePolicyImpl::GetTargetVersionPrefix( 281 std::string* target_version_prefix) const { 282 if (!device_policy_.has_auto_update_settings()) 283 return false; 284 285 const enterprise_management::AutoUpdateSettingsProto& proto = 286 device_policy_.auto_update_settings(); 287 if (!proto.has_target_version_prefix()) 288 return false; 289 290 *target_version_prefix = proto.target_version_prefix(); 291 return true; 292 } 293 294 bool DevicePolicyImpl::GetScatterFactorInSeconds( 295 int64_t* scatter_factor_in_seconds) const { 296 if (!device_policy_.has_auto_update_settings()) 297 return false; 298 299 const enterprise_management::AutoUpdateSettingsProto& proto = 300 device_policy_.auto_update_settings(); 301 if (!proto.has_scatter_factor_in_seconds()) 302 return false; 303 304 *scatter_factor_in_seconds = proto.scatter_factor_in_seconds(); 305 return true; 306 } 307 308 bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate( 309 std::set<std::string>* connection_types) const { 310 if (!device_policy_.has_auto_update_settings()) 311 return false; 312 313 const enterprise_management::AutoUpdateSettingsProto& proto = 314 device_policy_.auto_update_settings(); 315 if (proto.allowed_connection_types_size() <= 0) 316 return false; 317 318 for (int i = 0; i < proto.allowed_connection_types_size(); i++) { 319 std::string type = DecodeConnectionType(proto.allowed_connection_types(i)); 320 if (!type.empty()) 321 connection_types->insert(type); 322 } 323 return true; 324 } 325 326 bool DevicePolicyImpl::GetOpenNetworkConfiguration( 327 std::string* open_network_configuration) const { 328 if (!device_policy_.has_open_network_configuration()) 329 return false; 330 331 const enterprise_management::DeviceOpenNetworkConfigurationProto& proto = 332 device_policy_.open_network_configuration(); 333 if (!proto.has_open_network_configuration()) 334 return false; 335 336 *open_network_configuration = proto.open_network_configuration(); 337 return true; 338 } 339 340 bool DevicePolicyImpl::GetOwner(std::string* owner) const { 341 // The device is enterprise enrolled iff a request token exists. 342 if (policy_data_.has_request_token()) { 343 *owner = ""; 344 return true; 345 } 346 if (!policy_data_.has_username()) 347 return false; 348 *owner = policy_data_.username(); 349 return true; 350 } 351 352 bool DevicePolicyImpl::GetHttpDownloadsEnabled( 353 bool* http_downloads_enabled) const { 354 if (!device_policy_.has_auto_update_settings()) 355 return false; 356 357 const enterprise_management::AutoUpdateSettingsProto& proto = 358 device_policy_.auto_update_settings(); 359 360 if (!proto.has_http_downloads_enabled()) 361 return false; 362 363 *http_downloads_enabled = proto.http_downloads_enabled(); 364 return true; 365 } 366 367 bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const { 368 if (!device_policy_.has_auto_update_settings()) 369 return false; 370 371 const enterprise_management::AutoUpdateSettingsProto& proto = 372 device_policy_.auto_update_settings(); 373 374 if (!proto.has_p2p_enabled()) 375 return false; 376 377 *au_p2p_enabled = proto.p2p_enabled(); 378 return true; 379 } 380 381 bool DevicePolicyImpl::GetAllowKioskAppControlChromeVersion( 382 bool* allow_kiosk_app_control_chrome_version) const { 383 if (!device_policy_.has_allow_kiosk_app_control_chrome_version()) 384 return false; 385 386 const enterprise_management::AllowKioskAppControlChromeVersionProto& proto = 387 device_policy_.allow_kiosk_app_control_chrome_version(); 388 389 if (!proto.has_allow_kiosk_app_control_chrome_version()) 390 return false; 391 392 *allow_kiosk_app_control_chrome_version = 393 proto.allow_kiosk_app_control_chrome_version(); 394 return true; 395 } 396 397 bool DevicePolicyImpl::GetUsbDetachableWhitelist( 398 std::vector<UsbDeviceId>* usb_whitelist) const { 399 if (!device_policy_.has_usb_detachable_whitelist()) 400 return false; 401 const enterprise_management::UsbDetachableWhitelistProto& proto = 402 device_policy_.usb_detachable_whitelist(); 403 usb_whitelist->clear(); 404 for (int i = 0; i < proto.id_size(); i++) { 405 const ::enterprise_management::UsbDeviceIdProto& id = proto.id(i); 406 UsbDeviceId dev_id; 407 dev_id.vendor_id = id.has_vendor_id() ? id.vendor_id() : 0; 408 dev_id.product_id = id.has_product_id() ? id.product_id() : 0; 409 usb_whitelist->push_back(dev_id); 410 } 411 return true; 412 } 413 414 bool DevicePolicyImpl::GetAutoLaunchedKioskAppId( 415 std::string* app_id_out) const { 416 if (!device_policy_.has_device_local_accounts()) 417 return false; 418 419 const enterprise_management::DeviceLocalAccountsProto& local_accounts = 420 device_policy_.device_local_accounts(); 421 422 // For auto-launched kiosk apps, the delay needs to be 0. 423 if (local_accounts.has_auto_login_delay() && 424 local_accounts.auto_login_delay() != 0) 425 return false; 426 427 for (const enterprise_management::DeviceLocalAccountInfoProto& account : 428 local_accounts.account()) { 429 // If this isn't an auto-login account, move to the next one. 430 if (account.account_id() != local_accounts.auto_login_id()) 431 continue; 432 433 // If the auto-launched account is not a kiosk app, bail out, we aren't 434 // running in auto-launched kiosk mode. 435 if (account.type() != 436 enterprise_management::DeviceLocalAccountInfoProto:: 437 ACCOUNT_TYPE_KIOSK_APP) { 438 return false; 439 } 440 441 *app_id_out = account.kiosk_app().app_id(); 442 return true; 443 } 444 445 // No auto-launched account found. 446 return false; 447 } 448 449 bool DevicePolicyImpl::VerifyPolicyFile(const base::FilePath& policy_path) { 450 if (!verify_root_ownership_) { 451 return true; 452 } 453 454 // Both the policy and its signature have to exist. 455 if (!base::PathExists(policy_path) || !base::PathExists(keyfile_path_)) { 456 return false; 457 } 458 459 // Check if the policy and signature file is owned by root. 460 struct stat file_stat; 461 stat(policy_path.value().c_str(), &file_stat); 462 if (file_stat.st_uid != 0) { 463 LOG(ERROR) << "Policy file is not owned by root!"; 464 return false; 465 } 466 stat(keyfile_path_.value().c_str(), &file_stat); 467 if (file_stat.st_uid != 0) { 468 LOG(ERROR) << "Policy signature file is not owned by root!"; 469 return false; 470 } 471 return true; 472 } 473 474 bool DevicePolicyImpl::VerifyPolicySignature() { 475 if (policy_.has_policy_data_signature()) { 476 std::string policy_data = policy_.policy_data(); 477 std::string policy_data_signature = policy_.policy_data_signature(); 478 std::string public_key; 479 if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) { 480 LOG(ERROR) << "Could not read owner key off disk"; 481 return false; 482 } 483 if (!VerifySignature(policy_data, policy_data_signature, public_key)) { 484 LOG(ERROR) << "Signature does not match the data or can not be verified!"; 485 return false; 486 } 487 return true; 488 } 489 LOG(ERROR) << "The policy blob is not signed!"; 490 return false; 491 } 492 493 bool DevicePolicyImpl::LoadPolicyFromFile(const base::FilePath& policy_path) { 494 std::string policy_data_str; 495 if (policy::LoadPolicyFromPath(policy_path, &policy_data_str, &policy_) != 496 LoadPolicyResult::kSuccess) { 497 return false; 498 } 499 if (!policy_.has_policy_data()) { 500 LOG(ERROR) << "Policy on disk could not be parsed!"; 501 return false; 502 } 503 if (!policy_data_.ParseFromString(policy_.policy_data()) || 504 !policy_data_.has_policy_value()) { 505 LOG(ERROR) << "Policy on disk could not be parsed!"; 506 return false; 507 } 508 509 bool verify_policy = true; 510 if (!install_attributes_reader_) { 511 install_attributes_reader_ = std::make_unique<InstallAttributesReader>(); 512 } 513 const std::string& mode = install_attributes_reader_->GetAttribute( 514 InstallAttributesReader::kAttrMode); 515 if (mode == InstallAttributesReader::kDeviceModeEnterpriseAD) { 516 verify_policy = false; 517 } 518 if (verify_policy && !VerifyPolicyFile(policy_path)) { 519 return false; 520 } 521 522 // Make sure the signature is still valid. 523 if (verify_policy && !VerifyPolicySignature()) { 524 LOG(ERROR) << "Policy signature verification failed!"; 525 return false; 526 } 527 if (!device_policy_.ParseFromString(policy_data_.policy_value())) { 528 LOG(ERROR) << "Policy on disk could not be parsed!"; 529 return false; 530 } 531 532 return true; 533 } 534 535 } // namespace policy 536
