af7783f735
1. Ungrant did not check the callers uid which allowed any caller to remove grants to any key. 2. Grants were not removed when a key was deleted. 3. clean_uid did not clear the grant cache of the target uid. This would leave state grants that could have been used by a new app that happend to get the same uid as the one that was previously uninstalled. 4. Various paths did not respect grants: del, exist, getmtime The del path was particularly awkward because it is required by upgradeKeyBlob. This means it must work when a key that needs upgrading is accessed through a grant alias. Bug: 65851049 Merged-In: I6709b7562d47ad6156bee88a9e2d961f8a4a797d Change-Id: I6709b7562d47ad6156bee88a9e2d961f8a4a797d
112 lines
3.6 KiB
C
112 lines
3.6 KiB
C
/*
|
|
* Copyright (C) 2016 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef KEYSTORE_PERMISSIONS_H_
|
|
#define KEYSTORE_PERMISSIONS_H_
|
|
|
|
#include <unistd.h>
|
|
|
|
/* Here are the permissions, actions, users, and the main function. */
|
|
enum perm_t {
|
|
P_GET_STATE = 1 << 0,
|
|
P_GET = 1 << 1,
|
|
P_INSERT = 1 << 2,
|
|
P_DELETE = 1 << 3,
|
|
P_EXIST = 1 << 4,
|
|
P_LIST = 1 << 5,
|
|
P_RESET = 1 << 6,
|
|
P_PASSWORD = 1 << 7,
|
|
P_LOCK = 1 << 8,
|
|
P_UNLOCK = 1 << 9,
|
|
P_IS_EMPTY = 1 << 10,
|
|
P_SIGN = 1 << 11,
|
|
P_VERIFY = 1 << 12,
|
|
P_GRANT = 1 << 13,
|
|
P_DUPLICATE = 1 << 14,
|
|
P_CLEAR_UID = 1 << 15,
|
|
P_ADD_AUTH = 1 << 16,
|
|
P_USER_CHANGED = 1 << 17,
|
|
P_GEN_UNIQUE_ID = 1 << 18,
|
|
};
|
|
|
|
const char* get_perm_label(perm_t perm);
|
|
|
|
/**
|
|
* Returns the UID that the callingUid should act as. This is here for
|
|
* legacy support of the WiFi and VPN systems and should be removed
|
|
* when WiFi can operate in its own namespace.
|
|
*/
|
|
uid_t get_keystore_euid(uid_t uid);
|
|
|
|
bool has_permission(uid_t uid, perm_t perm, pid_t spid);
|
|
|
|
/**
|
|
* Returns true if the callingUid is allowed to interact in the targetUid's
|
|
* namespace.
|
|
*/
|
|
bool is_granted_to(uid_t callingUid, uid_t targetUid);
|
|
|
|
int configure_selinux();
|
|
|
|
/*
|
|
* Keystore grants.
|
|
*
|
|
* What are keystore grants?
|
|
*
|
|
* Keystore grants are a mechanism that allows an app to grant the permission to use one of its
|
|
* keys to an other app.
|
|
*
|
|
* Liftime of a grant:
|
|
*
|
|
* A keystore grant is ephemeral in that is never persistently stored. When the keystore process
|
|
* exits, all grants are lost. Also, grants can be explicitly revoked by the granter by invoking
|
|
* the ungrant operation.
|
|
*
|
|
* What happens when a grant is created?
|
|
*
|
|
* The grant operation expects a valid key alias and the uid of the grantee, i.e., the app that
|
|
* shall be allowed to use the key denoted by the alias. It then makes an entry in the grant store
|
|
* which generates a new alias of the form <alias>_KEYSTOREGRANT_<random_grant_no_>. This grant
|
|
* alias is returned to the caller which can pass the new alias to the grantee. For every grantee,
|
|
* the grant store keeps a set of grants, an entry of which holds the following information:
|
|
* - the owner of the key by uid, aka granter uid,
|
|
* - the original alias of the granted key, and
|
|
* - the random grant number.
|
|
* (See "grant_store.h:class Grant")
|
|
*
|
|
* What happens when a grant is used?
|
|
*
|
|
* Upon any keystore operation that expects an alias, the alias and the caller's uid are used
|
|
* to retrieve a key file. If that fails some operations try to retrieve a key file indirectly
|
|
* through a grant. These operations include:
|
|
* - attestKey
|
|
* - begin
|
|
* - exportKey
|
|
* - get
|
|
* - getKeyCharacteristics
|
|
* - del
|
|
* - exist
|
|
* - getmtime
|
|
* Operations that DO NOT follow the grant indirection are:
|
|
* - import
|
|
* - generate
|
|
* - grant
|
|
* - ungrant
|
|
* Especially, the latter two mean that neither can a grantee transitively grant a granted key
|
|
* to a third, nor can they relinquish access to the key or revoke access to the key by a third.
|
|
*/
|
|
|
|
#endif // KEYSTORE_PERMISSIONS_H_
|