Merge "Implement SID API"

commit: c1a5b07fc751d9a272cac71413f7e08da1d59c33 [log] [tgz]
author: Andres Morales <anmorales@google.com> Thu Apr 16 22:16:58 2015 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Thu Apr 16 22:16:58 2015 +0000
tree: 7f27d2bb5a223f9083157ee95255df61c91f8fde
parent: 41cdf55a9efe4f9c21c73ba7645b9cf6bfa970d0 [diff]
parent: 796178e0c465bb16341793d1e9b7b381b9e639fb [diff]
diff --git a/gatekeeperd/Android.mk b/gatekeeperd/Android.mk
index 1953672..f743cc3 100644
--- a/gatekeeperd/Android.mk
+++ b/gatekeeperd/Android.mk

@@ -26,4 +26,6 @@
 	libhardware \
 	libutils \
 	libkeystore_binder
+LOCAL_C_INCLUDES := \
+	system/gatekeeper/include
 include $(BUILD_EXECUTABLE)

diff --git a/gatekeeperd/IGateKeeperService.cpp b/gatekeeperd/IGateKeeperService.cpp
index b1e4811..d4ed533 100644
--- a/gatekeeperd/IGateKeeperService.cpp
+++ b/gatekeeperd/IGateKeeperService.cpp

@@ -115,6 +115,14 @@
             }
             return NO_ERROR;
         }
+        case GET_SECURE_USER_ID: {
+            CHECK_INTERFACE(IGateKeeperService, data, reply);
+            uint32_t uid = data.readInt32();
+            uint64_t sid = getSecureUserId(uid);
+            reply->writeNoException();
+            reply->writeInt64(sid);
+            return NO_ERROR;
+        }
         default:
             return BBinder::onTransact(code, data, reply, flags);
     }

diff --git a/gatekeeperd/IGateKeeperService.h b/gatekeeperd/IGateKeeperService.h
index 10b1b43..51e179d 100644
--- a/gatekeeperd/IGateKeeperService.h
+++ b/gatekeeperd/IGateKeeperService.h

@@ -31,6 +31,7 @@
         ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
         VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
         VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
+        GET_SECURE_USER_ID = IBinder::FIRST_CALL_TRANSACTION + 3,
     };
 
     // DECLARE_META_INTERFACE - C++ client interface not needed
@@ -64,6 +65,11 @@
             const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
             const uint8_t *provided_password, uint32_t provided_password_length,
             uint8_t **auth_token, uint32_t *auth_token_length) = 0;
+
+    /**
+     * Returns the secure user ID for the provided android user
+     */
+    virtual uint64_t getSecureUserId(uint32_t uid) = 0;
 };
 
 // ----------------------------------------------------------------------------

diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index d59e6fe..82aa422 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp

@@ -18,6 +18,12 @@
 
 #include "IGateKeeperService.h"
 
+#include <errno.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <fcntl.h>
+#include <unistd.h>
+
 #include <cutils/log.h>
 #include <utils/Log.h>
 
@@ -28,7 +34,9 @@
 
 #include <keystore/IKeystoreService.h>
 #include <keystore/keystore.h> // For error code
+#include <gatekeeper/password_handle.h> // for password_handle_t
 #include <hardware/gatekeeper.h>
+#include <hardware/hw_auth_token.h>
 
 namespace android {
 
@@ -50,6 +58,36 @@
         gatekeeper_close(device);
     }
 
+    void store_sid(uint32_t uid, uint64_t sid) {
+        char filename[21];
+        sprintf(filename, "%u", uid);
+        int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
+        if (fd < 0) {
+            ALOGW("could not open file: %s: %s", filename, strerror(errno));
+            return;
+        }
+        write(fd, &sid, sizeof(sid));
+        close(fd);
+    }
+
+    void maybe_store_sid(uint32_t uid, uint64_t sid) {
+        char filename[21];
+        sprintf(filename, "%u", uid);
+        if (access(filename, F_OK) == -1) {
+            store_sid(uid, sid);
+        }
+    }
+
+    uint64_t read_sid(uint32_t uid) {
+        char filename[21];
+        uint64_t sid;
+        sprintf(filename, "%u", uid);
+        int fd = open(filename, O_RDONLY);
+        if (fd < 0) return 0;
+        read(fd, &sid, sizeof(sid));
+        return sid;
+    }
+
     virtual status_t enroll(uint32_t uid,
             const uint8_t *current_password_handle, uint32_t current_password_handle_length,
             const uint8_t *current_password, uint32_t current_password_length,
@@ -69,7 +107,13 @@
                 current_password, current_password_length,
                 desired_password, desired_password_length,
                 enrolled_password_handle, enrolled_password_handle_length);
-        return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
+        if (ret >= 0) {
+            gatekeeper::password_handle_t *handle =
+                    reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
+            store_sid(uid, handle->user_id);
+            return NO_ERROR;
+        }
+        return UNKNOWN_ERROR;
     }
 
     virtual status_t verify(uint32_t uid,
@@ -116,7 +160,17 @@
             }
         }
 
-        return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
+        if (ret >= 0) {
+            maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
+                        enrolled_password_handle)->user_id);
+            return NO_ERROR;
+        }
+
+        return UNKNOWN_ERROR;
+    }
+
+    virtual uint64_t getSecureUserId(uint32_t uid) {
+        return read_sid(uid);
     }
 
     virtual status_t dump(int fd, const Vector<String16> &) {
@@ -144,8 +198,17 @@
 };
 }// namespace android
 
-int main() {
+int main(int argc, char* argv[]) {
     ALOGI("Starting gatekeeperd...");
+    if (argc < 2) {
+        ALOGE("A directory must be specified!");
+        return 1;
+    }
+    if (chdir(argv[1]) == -1) {
+        ALOGE("chdir: %s: %s", argv[1], strerror(errno));
+        return 1;
+    }
+
     android::sp<android::IServiceManager> sm = android::defaultServiceManager();
     android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
     android::status_t ret = sm->addService(

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 65f126f..79f635f 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -254,6 +254,7 @@
     mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
     mkdir /data/misc/bluetooth 0770 system system
     mkdir /data/misc/keystore 0700 keystore keystore
+    mkdir /data/misc/gatekeeper 0700 system system
     mkdir /data/misc/keychain 0771 system system
     mkdir /data/misc/net 0750 root shell
     mkdir /data/misc/radio 0770 system radio
@@ -609,7 +610,7 @@
     disabled
     oneshot
 
-service gatekeeperd /system/bin/gatekeeperd
+service gatekeeperd /system/bin/gatekeeperd /data/misc/gatekeeper
     class main
     user system
commit	c1a5b07fc751d9a272cac71413f7e08da1d59c33	[log] [tgz]
author	Andres Morales <anmorales@google.com>	Thu Apr 16 22:16:58 2015 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Thu Apr 16 22:16:58 2015 +0000
tree	7f27d2bb5a223f9083157ee95255df61c91f8fde
parent	41cdf55a9efe4f9c21c73ba7645b9cf6bfa970d0 [diff]
parent	796178e0c465bb16341793d1e9b7b381b9e639fb [diff]