diff options
| -rw-r--r-- | gatekeeperd/Android.mk | 7 | ||||
| -rw-r--r-- | gatekeeperd/IUserManager.cpp | 57 | ||||
| -rw-r--r-- | gatekeeperd/IUserManager.h | 46 | ||||
| -rw-r--r-- | gatekeeperd/gatekeeperd.cpp | 17 | ||||
| -rw-r--r-- | rootdir/init.rc | 17 | ||||
| -rw-r--r-- | sdcard/sdcard.c | 8 |
6 files changed, 138 insertions, 14 deletions
diff --git a/gatekeeperd/Android.mk b/gatekeeperd/Android.mk index ce050ae..55b2d5e 100644 --- a/gatekeeperd/Android.mk +++ b/gatekeeperd/Android.mk @@ -18,7 +18,12 @@ LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_CFLAGS := -Wall -Wextra -Werror -Wunused -LOCAL_SRC_FILES := SoftGateKeeperDevice.cpp IGateKeeperService.cpp gatekeeperd.cpp +LOCAL_SRC_FILES := \ + SoftGateKeeperDevice.cpp \ + IGateKeeperService.cpp \ + gatekeeperd.cpp \ + IUserManager.cpp + LOCAL_MODULE := gatekeeperd LOCAL_SHARED_LIBRARIES := \ libbinder \ diff --git a/gatekeeperd/IUserManager.cpp b/gatekeeperd/IUserManager.cpp new file mode 100644 index 0000000..8645fc2 --- /dev/null +++ b/gatekeeperd/IUserManager.cpp @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define LOG_TAG "IUserManager" +#include <stdint.h> +#include <sys/types.h> +#include <utils/Log.h> +#include <binder/Parcel.h> + +#include "IUserManager.h" + +namespace android { + +class BpUserManager : public BpInterface<IUserManager> +{ +public: + BpUserManager(const sp<IBinder>& impl) : + BpInterface<IUserManager>(impl) { + } + virtual int32_t getCredentialOwnerProfile(int32_t user_id) { + Parcel data, reply; + data.writeInterfaceToken(IUserManager::getInterfaceDescriptor()); + data.writeInt32(user_id); + status_t rc = remote()->transact(GET_CREDENTIAL_OWNER_PROFILE, data, &reply, 0); + if (rc != NO_ERROR) { + ALOGE("%s: failed (%d)\n", __func__, rc); + return -1; + } + + int32_t exception = reply.readExceptionCode(); + if (exception != 0) { + ALOGE("%s: got exception (%d)\n", __func__, exception); + return -1; + } + + return reply.readInt32(); + } + +}; + +IMPLEMENT_META_INTERFACE(UserManager, "android.os.IUserManager"); + +}; // namespace android + diff --git a/gatekeeperd/IUserManager.h b/gatekeeperd/IUserManager.h new file mode 100644 index 0000000..640e9b5 --- /dev/null +++ b/gatekeeperd/IUserManager.h @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef IUSERMANAGER_H_ +#define IUSERMANAGER_H_ + +#include <inttypes.h> +#include <utils/Errors.h> +#include <binder/IInterface.h> +#include <binder/Parcel.h> +#include <utils/Vector.h> + +namespace android { + +/* +* Communication channel to UserManager +*/ +class IUserManager : public IInterface { + public: + // must be kept in sync with IUserManager.aidl + enum { + GET_CREDENTIAL_OWNER_PROFILE = IBinder::FIRST_CALL_TRANSACTION + 0, + }; + + virtual int32_t getCredentialOwnerProfile(int32_t user_id) = 0; + + DECLARE_META_INTERFACE(UserManager); +}; + +}; // namespace android + +#endif // IUSERMANAGER_H_ + diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp index 9788681..b4fdab0 100644 --- a/gatekeeperd/gatekeeperd.cpp +++ b/gatekeeperd/gatekeeperd.cpp @@ -40,6 +40,7 @@ #include <hardware/hw_auth_token.h> #include "SoftGateKeeperDevice.h" +#include "IUserManager.h" namespace android { @@ -263,7 +264,21 @@ public: } virtual uint64_t getSecureUserId(uint32_t uid) { - return read_sid(uid); + uint64_t sid = read_sid(uid); + if (sid == 0) { + // might be a work profile, look up the parent + sp<IServiceManager> sm = defaultServiceManager(); + sp<IBinder> binder = sm->getService(String16("user")); + sp<IUserManager> um = interface_cast<IUserManager>(binder); + int32_t parent = um->getCredentialOwnerProfile(uid); + if (parent < 0) { + return 0; + } else if (parent != (int32_t) uid) { + return read_sid(parent); + } + } + return sid; + } virtual void clearSecureUserId(uint32_t uid) { diff --git a/rootdir/init.rc b/rootdir/init.rc index a4e31a9..de143b7 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -69,16 +69,17 @@ on init # Storage views to support runtime permissions mkdir /storage 0755 root root - mkdir /mnt/runtime_default 0755 root root - mkdir /mnt/runtime_default/self 0755 root root - mkdir /mnt/runtime_read 0755 root root - mkdir /mnt/runtime_read/self 0755 root root - mkdir /mnt/runtime_write 0755 root root - mkdir /mnt/runtime_write/self 0755 root root + mkdir /mnt/runtime 0700 root root + mkdir /mnt/runtime/default 0755 root root + mkdir /mnt/runtime/default/self 0755 root root + mkdir /mnt/runtime/read 0755 root root + mkdir /mnt/runtime/read/self 0755 root root + mkdir /mnt/runtime/write 0755 root root + mkdir /mnt/runtime/write/self 0755 root root # Symlink to keep legacy apps working in multi-user world symlink /storage/self/primary /sdcard - symlink /mnt/user/0/primary /mnt/runtime_default/self/primary + symlink /mnt/user/0/primary /mnt/runtime/default/self/primary # memory control cgroup mkdir /dev/memcg 0700 root system @@ -230,7 +231,7 @@ on post-fs # Mount shared so changes propagate into child namespaces mount rootfs rootfs / shared rec # Mount default storage into root namespace - mount none /mnt/runtime_default /storage slave bind rec + mount none /mnt/runtime/default /storage slave bind rec # We chown/chmod /cache again so because mount is run as root + defaults chown system cache /cache diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c index 41bf045..a79e2dd 100644 --- a/sdcard/sdcard.c +++ b/sdcard/sdcard.c @@ -1735,7 +1735,7 @@ static int usage() { " -g: specify GID to run as\n" " -U: specify user ID that owns device\n" " -m: source_path is multi-user\n" - " -w: runtime_write mount has full write access\n" + " -w: runtime write mount has full write access\n" "\n"); return 1; } @@ -1822,9 +1822,9 @@ static void run(const char* source_path, const char* label, uid_t uid, global.fuse_read = &fuse_read; global.fuse_write = &fuse_write; - snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime_default/%s", label); - snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime_read/%s", label); - snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime_write/%s", label); + snprintf(fuse_default.dest_path, PATH_MAX, "/mnt/runtime/default/%s", label); + snprintf(fuse_read.dest_path, PATH_MAX, "/mnt/runtime/read/%s", label); + snprintf(fuse_write.dest_path, PATH_MAX, "/mnt/runtime/write/%s", label); handler_default.fuse = &fuse_default; handler_read.fuse = &fuse_read; |