Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c3239859 authored by Ken Chen's avatar Ken Chen
Browse files

Check security context in CA certificate injection 

For binder clients trying to inject CA certificates, DNS resolver not
only checks its uid, but also security context. The purpose of these is
to reduce the possibility of certificate injection being misused except
for tests.

Bug: 162055050
Test: atest
      resolv_integration_test:ResolverTest#PermissionCheckOnCertificateInjection
Change-Id: I75bcf852d147b72c9045ec15ed3cb9684579fe3c
parent 957333d2

DnsResolverService.cpp

+38 −8
Original line number Original line Diff line number Diff line
@@ -24,6 +24,7 @@ 
#include <BinderUtil.h>

#include <BinderUtil.h>

#include <android-base/stringprintf.h>

#include <android-base/stringprintf.h>

#include <android-base/strings.h>

#include <android-base/strings.h>

#include <android/binder_ibinder_platform.h>

#include <android/binder_manager.h>

#include <android/binder_manager.h>

#include <android/binder_process.h>

#include <android/binder_process.h>

#include <netdutils/DumpWriter.h>

#include <netdutils/DumpWriter.h>
@@ -82,8 +83,10 @@ binder_status_t DnsResolverService::start() { 
    // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now.

    // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now.

    std::shared_ptr<DnsResolverService> resolverService =

    std::shared_ptr<DnsResolverService> resolverService =

            ::ndk::SharedRefBase::make<DnsResolverService>();

            ::ndk::SharedRefBase::make<DnsResolverService>();

    binder_status_t status =

    auto binder = resolverService->asBinder();

            AServiceManager_addService(resolverService->asBinder().get(), getServiceName());



    if (AIBinder_setRequestingSid) AIBinder_setRequestingSid(binder.get(), true);

    binder_status_t status = AServiceManager_addService(binder.get(), getServiceName());

    if (status != STATUS_OK) {

    if (status != STATUS_OK) {

        return status;

        return status;

    }

    }
@@ -173,18 +176,45 @@ binder_status_t DnsResolverService::dump(int fd, const char** args, uint32_t num 
    return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

}

}





namespace {



constexpr char SELINUX_LABEL_SU[] = "u:r:su:s0";



inline bool isRootSecurityContext(const char* sid) {

    // Type su is used for su processes, as well as for adbd and adb shell after performing an adb

    // root command.

    return !strcmp(sid, SELINUX_LABEL_SU);

}



::ndk::ScopedAStatus checkCaCertificatePermission() {

    uid_t uid = AIBinder_getCallingUid();

    if (uid != AID_ROOT) {

        auto err = StringPrintf("UID %d is not authorized to set CA certificate", uid);

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    }

    // Check security context if it is supported by platform

    if (!AIBinder_getCallingSid) {

        return ::ndk::ScopedAStatus(AStatus_newOk());

    }

    const char* sid = AIBinder_getCallingSid();

    if (!sid || !isRootSecurityContext(sid)) {

        auto err = StringPrintf("sid %s is not authorized to set CA certificate", sid);

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    }

    return ::ndk::ScopedAStatus(AStatus_newOk());

}



}  // namespace



::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration(

::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration(

        const ResolverParamsParcel& resolverParams) {

        const ResolverParamsParcel& resolverParams) {

    // Locking happens in PrivateDnsConfiguration and res_* functions.

    // Locking happens in PrivateDnsConfiguration and res_* functions.

    ENFORCE_INTERNAL_PERMISSIONS();

    ENFORCE_INTERNAL_PERMISSIONS();





    // TODO@: Switch to selinux based permission check if AIBinder_getCallingSid and

    //        AIBinder_setRequestingSid can be supported by libbinder_dnk (b/159135973).

    uid_t uid = AIBinder_getCallingUid();

    // CAUTION: caCertificate should NOT be used except for internal testing.

    // CAUTION: caCertificate should NOT be used except for internal testing.

    if (resolverParams.caCertificate.size() != 0 && uid != AID_ROOT) {

    if (resolverParams.caCertificate.size() != 0) {

        auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid);

        auto status = checkCaCertificatePermission();

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

        if (!status.isOk()) return status;

    }

    }





    // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660

    // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660