platform_system_security/keystore/permissions.h
Janis Danisevskis af7783f735 Fix multiple issues with the keystore grant mechanism
1. Ungrant did not check the callers uid which allowed any caller
   to remove grants to any key.
2. Grants were not removed when a key was deleted.
3. clean_uid did not clear the grant cache of the target uid.
   This would leave state grants that could have been used
   by a new app that happend to get the same uid as the one
   that was previously uninstalled.
4. Various paths did not respect grants: del, exist, getmtime
   The del path was particularly awkward because it is required
   by upgradeKeyBlob. This means it must work when a key that needs
   upgrading is accessed through a grant alias.

Bug: 65851049
Merged-In: I6709b7562d47ad6156bee88a9e2d961f8a4a797d
Change-Id: I6709b7562d47ad6156bee88a9e2d961f8a4a797d
2017-10-02 09:58:04 -07:00

112 lines
3.6 KiB
C

/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef KEYSTORE_PERMISSIONS_H_
#define KEYSTORE_PERMISSIONS_H_
#include <unistd.h>
/* Here are the permissions, actions, users, and the main function. */
enum perm_t {
P_GET_STATE = 1 << 0,
P_GET = 1 << 1,
P_INSERT = 1 << 2,
P_DELETE = 1 << 3,
P_EXIST = 1 << 4,
P_LIST = 1 << 5,
P_RESET = 1 << 6,
P_PASSWORD = 1 << 7,
P_LOCK = 1 << 8,
P_UNLOCK = 1 << 9,
P_IS_EMPTY = 1 << 10,
P_SIGN = 1 << 11,
P_VERIFY = 1 << 12,
P_GRANT = 1 << 13,
P_DUPLICATE = 1 << 14,
P_CLEAR_UID = 1 << 15,
P_ADD_AUTH = 1 << 16,
P_USER_CHANGED = 1 << 17,
P_GEN_UNIQUE_ID = 1 << 18,
};
const char* get_perm_label(perm_t perm);
/**
* Returns the UID that the callingUid should act as. This is here for
* legacy support of the WiFi and VPN systems and should be removed
* when WiFi can operate in its own namespace.
*/
uid_t get_keystore_euid(uid_t uid);
bool has_permission(uid_t uid, perm_t perm, pid_t spid);
/**
* Returns true if the callingUid is allowed to interact in the targetUid's
* namespace.
*/
bool is_granted_to(uid_t callingUid, uid_t targetUid);
int configure_selinux();
/*
* Keystore grants.
*
* What are keystore grants?
*
* Keystore grants are a mechanism that allows an app to grant the permission to use one of its
* keys to an other app.
*
* Liftime of a grant:
*
* A keystore grant is ephemeral in that is never persistently stored. When the keystore process
* exits, all grants are lost. Also, grants can be explicitly revoked by the granter by invoking
* the ungrant operation.
*
* What happens when a grant is created?
*
* The grant operation expects a valid key alias and the uid of the grantee, i.e., the app that
* shall be allowed to use the key denoted by the alias. It then makes an entry in the grant store
* which generates a new alias of the form <alias>_KEYSTOREGRANT_<random_grant_no_>. This grant
* alias is returned to the caller which can pass the new alias to the grantee. For every grantee,
* the grant store keeps a set of grants, an entry of which holds the following information:
* - the owner of the key by uid, aka granter uid,
* - the original alias of the granted key, and
* - the random grant number.
* (See "grant_store.h:class Grant")
*
* What happens when a grant is used?
*
* Upon any keystore operation that expects an alias, the alias and the caller's uid are used
* to retrieve a key file. If that fails some operations try to retrieve a key file indirectly
* through a grant. These operations include:
* - attestKey
* - begin
* - exportKey
* - get
* - getKeyCharacteristics
* - del
* - exist
* - getmtime
* Operations that DO NOT follow the grant indirection are:
* - import
* - generate
* - grant
* - ungrant
* Especially, the latter two mean that neither can a grantee transitively grant a granted key
* to a third, nor can they relinquish access to the key or revoke access to the key by a third.
*/
#endif // KEYSTORE_PERMISSIONS_H_