123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 |
- #define LOG_TAG "hwservicemanager"
- #include <android-base/logging.h>
- #include <hidl-util/FQName.h>
- #include <log/log.h>
- #include "AccessControl.h"
- namespace android {
- static const char *kPermissionAdd = "add";
- static const char *kPermissionGet = "find";
- static const char *kPermissionList = "list";
- struct audit_data {
- const char* interfaceName;
- const char* sid;
- pid_t pid;
- };
- using android::FQName;
- AccessControl::AccessControl() {
- mSeHandle = selinux_android_hw_service_context_handle();
- LOG_ALWAYS_FATAL_IF(mSeHandle == nullptr, "Failed to acquire SELinux handle.");
- if (getcon(&mSeContext) != 0) {
- LOG_ALWAYS_FATAL("Failed to acquire hwservicemanager context.");
- }
- selinux_status_open(true);
- mSeCallbacks.func_audit = AccessControl::auditCallback;
- selinux_set_callback(SELINUX_CB_AUDIT, mSeCallbacks);
- mSeCallbacks.func_log = selinux_log_callback;
- selinux_set_callback(SELINUX_CB_LOG, mSeCallbacks);
- }
- bool AccessControl::canAdd(const std::string& fqName, const CallingContext& callingContext) {
- FQName fqIface;
- if (!FQName::parse(fqName, &fqIface)) {
- return false;
- }
- const std::string checkName = fqIface.package() + "::" + fqIface.name();
- return checkPermission(callingContext, kPermissionAdd, checkName.c_str());
- }
- bool AccessControl::canGet(const std::string& fqName, const CallingContext& callingContext) {
- FQName fqIface;
- if (!FQName::parse(fqName, &fqIface)) {
- return false;
- }
- const std::string checkName = fqIface.package() + "::" + fqIface.name();
- return checkPermission(callingContext, kPermissionGet, checkName.c_str());
- }
- bool AccessControl::canList(const CallingContext& callingContext) {
- return checkPermission(callingContext, mSeContext, kPermissionList, nullptr);
- }
- AccessControl::CallingContext AccessControl::getCallingContext(pid_t sourcePid) {
- char *sourceContext = nullptr;
- if (getpidcon(sourcePid, &sourceContext) < 0) {
- ALOGE("SELinux: failed to retrieve process context for pid %d", sourcePid);
- return { false, "", sourcePid };
- }
- std::string context = sourceContext;
- freecon(sourceContext);
- return { true, context, sourcePid };
- }
- bool AccessControl::checkPermission(const CallingContext& source, const char *targetContext, const char *perm, const char *interface) {
- if (!source.sidPresent) {
- return false;
- }
- bool allowed = false;
- struct audit_data ad;
- ad.pid = source.pid;
- ad.sid = source.sid.c_str();
- ad.interfaceName = interface;
- allowed = (selinux_check_access(source.sid.c_str(), targetContext, "hwservice_manager",
- perm, (void *) &ad) == 0);
- return allowed;
- }
- bool AccessControl::checkPermission(const CallingContext& source, const char *perm, const char *interface) {
- char *targetContext = nullptr;
- bool allowed = false;
-
- if (selabel_lookup(mSeHandle, &targetContext, interface, 0) != 0) {
- ALOGE("No match for interface %s in hwservice_contexts", interface);
- return false;
- }
- allowed = checkPermission(source, targetContext, perm, interface);
- freecon(targetContext);
- return allowed;
- }
- int AccessControl::auditCallback(void *data, security_class_t , char *buf, size_t len) {
- struct audit_data *ad = (struct audit_data *)data;
- if (!ad || !ad->interfaceName) {
- ALOGE("No valid hwservicemanager audit data");
- return 0;
- }
- const char* sid = ad->sid ? ad->sid : "N/A";
- snprintf(buf, len, "interface=%s sid=%s pid=%d", ad->interfaceName, sid, ad->pid);
- return 0;
- }
- }
|