Blame - AccessControl.cpp - platform/system/hwservicemanager

blob: aa5d43e65509d9ad0d1d084211445f21b6f9f44c [file] [log] [blame]

Martijn Coenen	3924742	2017-09-25 15:29:06 +0200	[diff] [blame]	1	#define LOG_TAG "hwservicemanager"
				2
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	3	#include <android-base/logging.h>
				4	#include <hidl-util/FQName.h>
				5	#include <log/log.h>
				6
				7	#include "AccessControl.h"
				8
				9	namespace android {
				10
				11	static const char *kPermissionAdd = "add";
				12	static const char *kPermissionGet = "find";
				13	static const char *kPermissionList = "list";
				14
				15	struct audit_data {
				16	const char* interfaceName;
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	17	const char* sid;
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	18	pid_t pid;
				19	};
				20
				21	using android::FQName;
				22
				23	AccessControl::AccessControl() {
				24	mSeHandle = selinux_android_hw_service_context_handle();
Yi Kong	00892ee	2018-07-31 16:50:28 -0700	[diff] [blame]	25	LOG_ALWAYS_FATAL_IF(mSeHandle == nullptr, "Failed to acquire SELinux handle.");
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	26
				27	if (getcon(&mSeContext) != 0) {
				28	LOG_ALWAYS_FATAL("Failed to acquire hwservicemanager context.");
				29	}
				30
				31	selinux_status_open(true);
				32
				33	mSeCallbacks.func_audit = AccessControl::auditCallback;
				34	selinux_set_callback(SELINUX_CB_AUDIT, mSeCallbacks);
				35
				36	mSeCallbacks.func_log = selinux_log_callback; /* defined in libselinux */
				37	selinux_set_callback(SELINUX_CB_LOG, mSeCallbacks);
				38	}
				39
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	40	bool AccessControl::canAdd(const std::string& fqName, const CallingContext& callingContext) {
Steven Moreland	0cd38f0	2018-03-06 15:09:22 -0800	[diff] [blame]	41	FQName fqIface;
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	42
Steven Moreland	0cd38f0	2018-03-06 15:09:22 -0800	[diff] [blame]	43	if (!FQName::parse(fqName, &fqIface)) {
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	44	return false;
				45	}
				46	const std::string checkName = fqIface.package() + "::" + fqIface.name();
				47
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	48	return checkPermission(callingContext, kPermissionAdd, checkName.c_str());
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	49	}
				50
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	51	bool AccessControl::canGet(const std::string& fqName, const CallingContext& callingContext) {
Steven Moreland	0cd38f0	2018-03-06 15:09:22 -0800	[diff] [blame]	52	FQName fqIface;
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	53
Steven Moreland	0cd38f0	2018-03-06 15:09:22 -0800	[diff] [blame]	54	if (!FQName::parse(fqName, &fqIface)) {
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	55	return false;
				56	}
				57	const std::string checkName = fqIface.package() + "::" + fqIface.name();
				58
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	59	return checkPermission(callingContext, kPermissionGet, checkName.c_str());
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	60	}
				61
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	62	bool AccessControl::canList(const CallingContext& callingContext) {
				63	return checkPermission(callingContext, mSeContext, kPermissionList, nullptr);
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	64	}
				65
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	66	AccessControl::CallingContext AccessControl::getCallingContext(pid_t sourcePid) {
Yi Kong	00892ee	2018-07-31 16:50:28 -0700	[diff] [blame]	67	char *sourceContext = nullptr;
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	68
				69	if (getpidcon(sourcePid, &sourceContext) < 0) {
Martijn Coenen	3924742	2017-09-25 15:29:06 +0200	[diff] [blame]	70	ALOGE("SELinux: failed to retrieve process context for pid %d", sourcePid);
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	71	return { false, "", sourcePid };
Steven Moreland	4034c1c	2017-11-03 17:42:27 -0700	[diff] [blame]	72	}
				73
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	74	std::string context = sourceContext;
				75	freecon(sourceContext);
				76	return { true, context, sourcePid };
Steven Moreland	4034c1c	2017-11-03 17:42:27 -0700	[diff] [blame]	77	}
				78
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	79	bool AccessControl::checkPermission(const CallingContext& source, const char targetContext, const char perm, const char *interface) {
				80	if (!source.sidPresent) {
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	81	return false;
				82	}
				83
Steven Moreland	4034c1c	2017-11-03 17:42:27 -0700	[diff] [blame]	84	bool allowed = false;
Steven Moreland	4034c1c	2017-11-03 17:42:27 -0700	[diff] [blame]	85
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	86	struct audit_data ad;
				87	ad.pid = source.pid;
				88	ad.sid = source.sid.c_str();
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	89	ad.interfaceName = interface;
				90
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	91	allowed = (selinux_check_access(source.sid.c_str(), targetContext, "hwservice_manager",
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	92	perm, (void *) &ad) == 0);
				93
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	94	return allowed;
				95	}
				96
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	97	bool AccessControl::checkPermission(const CallingContext& source, const char perm, const char interface) {
Yi Kong	00892ee	2018-07-31 16:50:28 -0700	[diff] [blame]	98	char *targetContext = nullptr;
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	99	bool allowed = false;
				100
				101	// Lookup service in hwservice_contexts
				102	if (selabel_lookup(mSeHandle, &targetContext, interface, 0) != 0) {
				103	ALOGE("No match for interface %s in hwservice_contexts", interface);
				104	return false;
				105	}
				106
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	107	allowed = checkPermission(source, targetContext, perm, interface);
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	108
				109	freecon(targetContext);
				110
				111	return allowed;
				112	}
				113
				114	int AccessControl::auditCallback(void data, security_class_t /cls/, char buf, size_t len) {
				115	struct audit_data ad = (struct audit_data )data;
				116
				117	if (!ad \|\| !ad->interfaceName) {
				118	ALOGE("No valid hwservicemanager audit data");
				119	return 0;
				120	}
				121
Steven Moreland	7185a89	2019-01-09 18:00:05 -0800	[diff] [blame^]	122	const char* sid = ad->sid ? ad->sid : "N/A";
				123
				124	snprintf(buf, len, "interface=%s sid=%s pid=%d", ad->interfaceName, sid, ad->pid);
Martijn Coenen	7ce83be	2017-04-07 16:19:32 -0700	[diff] [blame]	125	return 0;
				126	}
				127
				128	} // namespace android