f15b30a47c
* commit '9f12f80d4af350789a64f5c30531ce790d9b6ea3': Add SELinux checks when adding a service.
379 lines
9.5 KiB
C
379 lines
9.5 KiB
C
/* Copyright 2008 The Android Open Source Project
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
|
|
#include <private/android_filesystem_config.h>
|
|
|
|
#include <selinux/android.h>
|
|
|
|
#include "binder.h"
|
|
|
|
#if 0
|
|
#define ALOGI(x...) fprintf(stderr, "svcmgr: " x)
|
|
#define ALOGE(x...) fprintf(stderr, "svcmgr: " x)
|
|
#else
|
|
#define LOG_TAG "ServiceManager"
|
|
#include <cutils/log.h>
|
|
#endif
|
|
|
|
/* TODO:
|
|
* These should come from a config file or perhaps be
|
|
* based on some namespace rules of some sort (media
|
|
* uid can register media.*, etc)
|
|
*/
|
|
static struct {
|
|
uid_t uid;
|
|
const char *name;
|
|
} allowed[] = {
|
|
{ AID_MEDIA, "media.audio_flinger" },
|
|
{ AID_MEDIA, "media.log" },
|
|
{ AID_MEDIA, "media.player" },
|
|
{ AID_MEDIA, "media.camera" },
|
|
{ AID_MEDIA, "media.audio_policy" },
|
|
{ AID_MEDIA, "media.sound_trigger_hw" },
|
|
{ AID_AUDIO, "audio" },
|
|
{ AID_INPUT, "input" },
|
|
{ AID_DRM, "drm.drmManager" },
|
|
{ AID_NFC, "nfc" },
|
|
{ AID_BLUETOOTH, "bluetooth" },
|
|
{ AID_RADIO, "radio.phone" },
|
|
{ AID_RADIO, "radio.sms" },
|
|
{ AID_RADIO, "radio.phonesubinfo" },
|
|
{ AID_RADIO, "radio.simphonebook" },
|
|
/* TODO: remove after phone services are updated: */
|
|
{ AID_RADIO, "phone" },
|
|
{ AID_RADIO, "sip" },
|
|
{ AID_RADIO, "isms" },
|
|
{ AID_RADIO, "iphonesubinfo" },
|
|
{ AID_RADIO, "simphonebook" },
|
|
{ AID_MEDIA, "common_time.clock" },
|
|
{ AID_MEDIA, "common_time.config" },
|
|
{ AID_KEYSTORE, "android.security.keystore" },
|
|
{ AID_RADIO, "telecomm" },
|
|
};
|
|
|
|
uint32_t svcmgr_handle;
|
|
|
|
const char *str8(const uint16_t *x)
|
|
{
|
|
static char buf[128];
|
|
unsigned max = 127;
|
|
char *p = buf;
|
|
|
|
if (x) {
|
|
while (*x && max--) {
|
|
*p++ = *x++;
|
|
}
|
|
}
|
|
*p++ = 0;
|
|
return buf;
|
|
}
|
|
|
|
int str16eq(const uint16_t *a, const char *b)
|
|
{
|
|
while (*a && *b)
|
|
if (*a++ != *b++) return 0;
|
|
if (*a || *b)
|
|
return 0;
|
|
return 1;
|
|
}
|
|
|
|
static struct selabel_handle* sehandle;
|
|
|
|
static bool check_mac_perms(const char *name, pid_t spid)
|
|
{
|
|
if (is_selinux_enabled() <= 0) {
|
|
return true;
|
|
}
|
|
|
|
bool allowed = false;
|
|
|
|
const char *class = "service_manager";
|
|
const char *perm = "add";
|
|
|
|
char *tctx = NULL;
|
|
char *sctx = NULL;
|
|
|
|
if (!sehandle) {
|
|
ALOGE("SELinux: Failed to find sehandle %s.\n", name);
|
|
return false;
|
|
}
|
|
|
|
if (getpidcon(spid, &sctx) < 0) {
|
|
ALOGE("SELinux: getpidcon failed to retrieve pid context.\n");
|
|
return false;
|
|
}
|
|
|
|
if (!sctx) {
|
|
ALOGE("SELinux: Failed to find sctx for %s.\n", name);
|
|
return false;
|
|
}
|
|
|
|
if (selabel_lookup(sehandle, &tctx, name, 1) != 0) {
|
|
ALOGE("SELinux: selabel_lookup failed to set tctx for %s.\n", name);
|
|
freecon(sctx);
|
|
return false;
|
|
}
|
|
|
|
if (!tctx) {
|
|
ALOGE("SELinux: Failed to find tctx for %s.\n", name);
|
|
freecon(sctx);
|
|
return false;
|
|
}
|
|
|
|
int result = selinux_check_access(sctx, tctx, class, perm, (void *) name);
|
|
allowed = (result == 0);
|
|
|
|
freecon(sctx);
|
|
freecon(tctx);
|
|
return allowed;
|
|
}
|
|
|
|
static int svc_can_register(uid_t uid, const uint16_t *name, pid_t spid)
|
|
{
|
|
size_t n;
|
|
|
|
if ((uid == 0) || (uid == AID_SYSTEM))
|
|
return check_mac_perms(str8(name), spid) ? 1 : 0;
|
|
|
|
for (n = 0; n < sizeof(allowed) / sizeof(allowed[0]); n++)
|
|
if ((uid == allowed[n].uid) && str16eq(name, allowed[n].name))
|
|
return check_mac_perms(str8(name), spid) ? 1 : 0;
|
|
|
|
return 0;
|
|
}
|
|
|
|
struct svcinfo
|
|
{
|
|
struct svcinfo *next;
|
|
uint32_t handle;
|
|
struct binder_death death;
|
|
int allow_isolated;
|
|
size_t len;
|
|
uint16_t name[0];
|
|
};
|
|
|
|
struct svcinfo *svclist = NULL;
|
|
|
|
struct svcinfo *find_svc(const uint16_t *s16, size_t len)
|
|
{
|
|
struct svcinfo *si;
|
|
|
|
for (si = svclist; si; si = si->next) {
|
|
if ((len == si->len) &&
|
|
!memcmp(s16, si->name, len * sizeof(uint16_t))) {
|
|
return si;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
void svcinfo_death(struct binder_state *bs, void *ptr)
|
|
{
|
|
struct svcinfo *si = (struct svcinfo* ) ptr;
|
|
|
|
ALOGI("service '%s' died\n", str8(si->name));
|
|
if (si->handle) {
|
|
binder_release(bs, si->handle);
|
|
si->handle = 0;
|
|
}
|
|
}
|
|
|
|
uint16_t svcmgr_id[] = {
|
|
'a','n','d','r','o','i','d','.','o','s','.',
|
|
'I','S','e','r','v','i','c','e','M','a','n','a','g','e','r'
|
|
};
|
|
|
|
|
|
uint32_t do_find_service(struct binder_state *bs, const uint16_t *s, size_t len, uid_t uid)
|
|
{
|
|
struct svcinfo *si;
|
|
|
|
si = find_svc(s, len);
|
|
//ALOGI("check_service('%s') handle = %x\n", str8(s), si ? si->handle : 0);
|
|
if (si && si->handle) {
|
|
if (!si->allow_isolated) {
|
|
// If this service doesn't allow access from isolated processes,
|
|
// then check the uid to see if it is isolated.
|
|
uid_t appid = uid % AID_USER;
|
|
if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) {
|
|
return 0;
|
|
}
|
|
}
|
|
return si->handle;
|
|
} else {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
int do_add_service(struct binder_state *bs,
|
|
const uint16_t *s, size_t len,
|
|
uint32_t handle, uid_t uid, int allow_isolated,
|
|
pid_t spid)
|
|
{
|
|
struct svcinfo *si;
|
|
|
|
//ALOGI("add_service('%s',%x,%s) uid=%d\n", str8(s), handle,
|
|
// allow_isolated ? "allow_isolated" : "!allow_isolated", uid);
|
|
|
|
if (!handle || (len == 0) || (len > 127))
|
|
return -1;
|
|
|
|
if (!svc_can_register(uid, s, spid)) {
|
|
ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
|
|
str8(s), handle, uid);
|
|
return -1;
|
|
}
|
|
|
|
si = find_svc(s, len);
|
|
if (si) {
|
|
if (si->handle) {
|
|
ALOGE("add_service('%s',%x) uid=%d - ALREADY REGISTERED, OVERRIDE\n",
|
|
str8(s), handle, uid);
|
|
svcinfo_death(bs, si);
|
|
}
|
|
si->handle = handle;
|
|
} else {
|
|
si = malloc(sizeof(*si) + (len + 1) * sizeof(uint16_t));
|
|
if (!si) {
|
|
ALOGE("add_service('%s',%x) uid=%d - OUT OF MEMORY\n",
|
|
str8(s), handle, uid);
|
|
return -1;
|
|
}
|
|
si->handle = handle;
|
|
si->len = len;
|
|
memcpy(si->name, s, (len + 1) * sizeof(uint16_t));
|
|
si->name[len] = '\0';
|
|
si->death.func = (void*) svcinfo_death;
|
|
si->death.ptr = si;
|
|
si->allow_isolated = allow_isolated;
|
|
si->next = svclist;
|
|
svclist = si;
|
|
}
|
|
|
|
binder_acquire(bs, handle);
|
|
binder_link_to_death(bs, handle, &si->death);
|
|
return 0;
|
|
}
|
|
|
|
int svcmgr_handler(struct binder_state *bs,
|
|
struct binder_transaction_data *txn,
|
|
struct binder_io *msg,
|
|
struct binder_io *reply)
|
|
{
|
|
struct svcinfo *si;
|
|
uint16_t *s;
|
|
size_t len;
|
|
uint32_t handle;
|
|
uint32_t strict_policy;
|
|
int allow_isolated;
|
|
|
|
//ALOGI("target=%x code=%d pid=%d uid=%d\n",
|
|
// txn->target.handle, txn->code, txn->sender_pid, txn->sender_euid);
|
|
|
|
if (txn->target.handle != svcmgr_handle)
|
|
return -1;
|
|
|
|
if (txn->code == PING_TRANSACTION)
|
|
return 0;
|
|
|
|
// Equivalent to Parcel::enforceInterface(), reading the RPC
|
|
// header with the strict mode policy mask and the interface name.
|
|
// Note that we ignore the strict_policy and don't propagate it
|
|
// further (since we do no outbound RPCs anyway).
|
|
strict_policy = bio_get_uint32(msg);
|
|
s = bio_get_string16(msg, &len);
|
|
if ((len != (sizeof(svcmgr_id) / 2)) ||
|
|
memcmp(svcmgr_id, s, sizeof(svcmgr_id))) {
|
|
fprintf(stderr,"invalid id %s\n", str8(s));
|
|
return -1;
|
|
}
|
|
|
|
if (sehandle && selinux_status_updated() > 0) {
|
|
struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle();
|
|
if (tmp_sehandle) {
|
|
selabel_close(sehandle);
|
|
sehandle = tmp_sehandle;
|
|
}
|
|
}
|
|
|
|
switch(txn->code) {
|
|
case SVC_MGR_GET_SERVICE:
|
|
case SVC_MGR_CHECK_SERVICE:
|
|
s = bio_get_string16(msg, &len);
|
|
handle = do_find_service(bs, s, len, txn->sender_euid);
|
|
if (!handle)
|
|
break;
|
|
bio_put_ref(reply, handle);
|
|
return 0;
|
|
|
|
case SVC_MGR_ADD_SERVICE:
|
|
s = bio_get_string16(msg, &len);
|
|
handle = bio_get_ref(msg);
|
|
allow_isolated = bio_get_uint32(msg) ? 1 : 0;
|
|
if (do_add_service(bs, s, len, handle, txn->sender_euid,
|
|
allow_isolated, txn->sender_pid))
|
|
return -1;
|
|
break;
|
|
|
|
case SVC_MGR_LIST_SERVICES: {
|
|
uint32_t n = bio_get_uint32(msg);
|
|
|
|
si = svclist;
|
|
while ((n-- > 0) && si)
|
|
si = si->next;
|
|
if (si) {
|
|
bio_put_string16(reply, si->name);
|
|
return 0;
|
|
}
|
|
return -1;
|
|
}
|
|
default:
|
|
ALOGE("unknown code %d\n", txn->code);
|
|
return -1;
|
|
}
|
|
|
|
bio_put_uint32(reply, 0);
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int audit_callback(void *data, security_class_t cls, char *buf, size_t len)
|
|
{
|
|
snprintf(buf, len, "service=%s", !data ? "NULL" : (char *)data);
|
|
return 0;
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
struct binder_state *bs;
|
|
|
|
bs = binder_open(128*1024);
|
|
if (!bs) {
|
|
ALOGE("failed to open binder driver\n");
|
|
return -1;
|
|
}
|
|
|
|
if (binder_become_context_manager(bs)) {
|
|
ALOGE("cannot become context manager (%s)\n", strerror(errno));
|
|
return -1;
|
|
}
|
|
|
|
sehandle = selinux_android_service_context_handle();
|
|
|
|
union selinux_callback cb;
|
|
cb.func_audit = audit_callback;
|
|
selinux_set_callback(SELINUX_CB_AUDIT, cb);
|
|
cb.func_log = selinux_log_callback;
|
|
selinux_set_callback(SELINUX_CB_LOG, cb);
|
|
|
|
svcmgr_handle = BINDER_SERVICE_MANAGER;
|
|
binder_loop(bs, svcmgr_handler);
|
|
|
|
return 0;
|
|
}
|