Merge "Implement SID API"

gatekeeperd/Android.mk

@@ -26,4 +26,6 @@ LOCAL_SHARED_LIBRARIES := \
 	libhardware \
 	libutils \
 	libkeystore_binder
+LOCAL_C_INCLUDES := \
+	system/gatekeeper/include
 include $(BUILD_EXECUTABLE)

gatekeeperd/IGateKeeperService.cpp

@@ -115,6 +115,14 @@ status_t BnGateKeeperService::onTransact(
             }
             return NO_ERROR;
         }
+        case GET_SECURE_USER_ID: {
+            CHECK_INTERFACE(IGateKeeperService, data, reply);
+            uint32_t uid = data.readInt32();
+            uint64_t sid = getSecureUserId(uid);
+            reply->writeNoException();
+            reply->writeInt64(sid);
+            return NO_ERROR;
+        }
         default:
             return BBinder::onTransact(code, data, reply, flags);
     }

gatekeeperd/IGateKeeperService.h

@@ -31,6 +31,7 @@ public:
         ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
         VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
         VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
+        GET_SECURE_USER_ID = IBinder::FIRST_CALL_TRANSACTION + 3,
     };
 
     // DECLARE_META_INTERFACE - C++ client interface not needed
@@ -64,6 +65,11 @@ public:
             const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
             const uint8_t *provided_password, uint32_t provided_password_length,
             uint8_t **auth_token, uint32_t *auth_token_length) = 0;
+
+    /**
+     * Returns the secure user ID for the provided android user
+     */
+    virtual uint64_t getSecureUserId(uint32_t uid) = 0;
 };
 
 // ----------------------------------------------------------------------------

gatekeeperd/gatekeeperd.cpp

@@ -18,6 +18,12 @@
 
 #include "IGateKeeperService.h"
 
+#include <errno.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <fcntl.h>
+#include <unistd.h>
+
 #include <cutils/log.h>
 #include <utils/Log.h>
 
@@ -28,7 +34,9 @@
 
 #include <keystore/IKeystoreService.h>
 #include <keystore/keystore.h> // For error code
+#include <gatekeeper/password_handle.h> // for password_handle_t
 #include <hardware/gatekeeper.h>
+#include <hardware/hw_auth_token.h>
 
 namespace android {
 
@@ -50,6 +58,36 @@ public:
         gatekeeper_close(device);
     }
 
+    void store_sid(uint32_t uid, uint64_t sid) {
+        char filename[21];
+        sprintf(filename, "%u", uid);
+        int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
+        if (fd < 0) {
+            ALOGW("could not open file: %s: %s", filename, strerror(errno));
+            return;
+        }
+        write(fd, &sid, sizeof(sid));
+        close(fd);
+    }
+
+    void maybe_store_sid(uint32_t uid, uint64_t sid) {
+        char filename[21];
+        sprintf(filename, "%u", uid);
+        if (access(filename, F_OK) == -1) {
+            store_sid(uid, sid);
+        }
+    }
+
+    uint64_t read_sid(uint32_t uid) {
+        char filename[21];
+        uint64_t sid;
+        sprintf(filename, "%u", uid);
+        int fd = open(filename, O_RDONLY);
+        if (fd < 0) return 0;
+        read(fd, &sid, sizeof(sid));
+        return sid;
+    }
+
     virtual status_t enroll(uint32_t uid,
             const uint8_t *current_password_handle, uint32_t current_password_handle_length,
             const uint8_t *current_password, uint32_t current_password_length,
@@ -69,7 +107,13 @@ public:
                 current_password, current_password_length,
                 desired_password, desired_password_length,
                 enrolled_password_handle, enrolled_password_handle_length);
-        return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
+        if (ret >= 0) {
+            gatekeeper::password_handle_t *handle =
+                    reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
+            store_sid(uid, handle->user_id);
+            return NO_ERROR;
+        }
+        return UNKNOWN_ERROR;
     }
 
     virtual status_t verify(uint32_t uid,
@@ -116,7 +160,17 @@ public:
             }
         }
 
-        return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
+        if (ret >= 0) {
+            maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
+                        enrolled_password_handle)->user_id);
+            return NO_ERROR;
+        }
+
+        return UNKNOWN_ERROR;
+    }
+
+    virtual uint64_t getSecureUserId(uint32_t uid) {
+        return read_sid(uid);
     }
 
     virtual status_t dump(int fd, const Vector<String16> &) {
@@ -144,8 +198,17 @@ private:
 };
 }// namespace android
 
-int main() {
+int main(int argc, char* argv[]) {
     ALOGI("Starting gatekeeperd...");
+    if (argc < 2) {
+        ALOGE("A directory must be specified!");
+        return 1;
+    }
+    if (chdir(argv[1]) == -1) {
+        ALOGE("chdir: %s: %s", argv[1], strerror(errno));
+        return 1;
+    }
+
     android::sp<android::IServiceManager> sm = android::defaultServiceManager();
     android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
     android::status_t ret = sm->addService(

rootdir/init.rc

@@ -254,6 +254,7 @@ on post-fs-data
     mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
     mkdir /data/misc/bluetooth 0770 system system
     mkdir /data/misc/keystore 0700 keystore keystore
+    mkdir /data/misc/gatekeeper 0700 system system
     mkdir /data/misc/keychain 0771 system system
     mkdir /data/misc/net 0750 root shell
     mkdir /data/misc/radio 0770 system radio
@@ -609,7 +610,7 @@ service bootanim /system/bin/bootanimation
     disabled
     oneshot
 
-service gatekeeperd /system/bin/gatekeeperd
+service gatekeeperd /system/bin/gatekeeperd /data/misc/gatekeeper
     class main
     user system