1 /*
2 * Copyright (C) 2010 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "DrmManagerService(Native)"
19 #include <utils/Log.h>
20
21 #include <private/android_filesystem_config.h>
22 #include <mediautils/MemoryLeakTrackUtil.h>
23
24 #include <errno.h>
25 #include <utils/threads.h>
26 #include <binder/IServiceManager.h>
27 #include <binder/IPCThreadState.h>
28 #include <sys/stat.h>
29 #include "DrmManagerService.h"
30 #include "DrmManager.h"
31
32 #include <selinux/android.h>
33
34 using namespace android;
35
36 static int selinux_enabled;
37 static char *drmserver_context;
38 static Vector<uid_t> trustedUids;
39
40 const char *const DrmManagerService::drm_perm_labels[] = {
41 "consumeRights",
42 "setPlaybackStatus",
43 "openDecryptSession",
44 "closeDecryptSession",
45 "initializeDecryptUnit",
46 "decrypt",
47 "finalizeDecryptUnit",
48 "pread"
49 };
50
get_perm_label(drm_perm_t perm)51 const char *DrmManagerService::get_perm_label(drm_perm_t perm) {
52 unsigned int index = perm;
53
54 if (index >= (sizeof(drm_perm_labels) / sizeof(drm_perm_labels[0]))) {
55 ALOGE("SELinux: Failed to retrieve permission label(perm=%d).\n", perm);
56 abort();
57 }
58 return drm_perm_labels[index];
59 }
60
selinuxIsProtectedCallAllowed(pid_t spid,const char * ssid,drm_perm_t perm)61 bool DrmManagerService::selinuxIsProtectedCallAllowed(pid_t spid, const char* ssid, drm_perm_t perm) {
62 if (selinux_enabled <= 0) {
63 return true;
64 }
65
66 char *sctx = NULL;
67 const char *selinux_class = "drmservice";
68 const char *str_perm = get_perm_label(perm);
69
70 if (ssid == NULL) {
71 android_errorWriteLog(0x534e4554, "121035042");
72
73 if (getpidcon(spid, &sctx) != 0) {
74 ALOGE("SELinux: getpidcon(pid=%d) failed.\n", spid);
75 return false;
76 }
77 }
78
79 bool allowed = (selinux_check_access(ssid ? ssid : sctx, drmserver_context,
80 selinux_class, str_perm, NULL) == 0);
81 freecon(sctx);
82
83 return allowed;
84 }
85
isProtectedCallAllowed(drm_perm_t perm)86 bool DrmManagerService::isProtectedCallAllowed(drm_perm_t perm) {
87 // TODO
88 // Following implementation is just for reference.
89 // Each OEM manufacturer should implement/replace with their own solutions.
90 IPCThreadState* ipcState = IPCThreadState::self();
91 uid_t uid = ipcState->getCallingUid();
92 pid_t spid = ipcState->getCallingPid();
93 const char* ssid = ipcState->getCallingSid();
94
95 for (unsigned int i = 0; i < trustedUids.size(); ++i) {
96 if (trustedUids[i] == uid) {
97 return selinuxIsProtectedCallAllowed(spid, ssid, perm);
98 }
99 }
100 return false;
101 }
102
instantiate()103 void DrmManagerService::instantiate() {
104 ALOGV("instantiate");
105 sp<DrmManagerService> service = new DrmManagerService();
106 service->setRequestingSid(true);
107 defaultServiceManager()->addService(String16("drm.drmManager"), service);
108
109 if (0 >= trustedUids.size()) {
110 // TODO
111 // Following implementation is just for reference.
112 // Each OEM manufacturer should implement/replace with their own solutions.
113
114 // Add trusted uids here
115 trustedUids.push(AID_MEDIA);
116 }
117
118 selinux_enabled = is_selinux_enabled();
119 if (selinux_enabled > 0 && getcon(&drmserver_context) != 0) {
120 ALOGE("SELinux: DrmManagerService failed to get context for DrmManagerService. Aborting.\n");
121 abort();
122 }
123
124 union selinux_callback cb;
125 cb.func_log = selinux_log_callback;
126 selinux_set_callback(SELINUX_CB_LOG, cb);
127 }
128
DrmManagerService()129 DrmManagerService::DrmManagerService() :
130 mDrmManager(NULL) {
131 ALOGV("created");
132 mDrmManager = new DrmManager();
133 mDrmManager->initMetricsLooper();
134 mDrmManager->loadPlugIns();
135 }
136
~DrmManagerService()137 DrmManagerService::~DrmManagerService() {
138 ALOGV("Destroyed");
139 mDrmManager->unloadPlugIns();
140 mDrmManager = NULL;
141 }
142
addUniqueId(bool isNative)143 int DrmManagerService::addUniqueId(bool isNative) {
144 return mDrmManager->addUniqueId(isNative);
145 }
146
removeUniqueId(int uniqueId)147 void DrmManagerService::removeUniqueId(int uniqueId) {
148 mDrmManager->removeUniqueId(uniqueId);
149 }
150
addClient(int uniqueId)151 void DrmManagerService::addClient(int uniqueId) {
152 mDrmManager->addClient(uniqueId);
153 }
154
removeClient(int uniqueId)155 void DrmManagerService::removeClient(int uniqueId) {
156 mDrmManager->removeClient(uniqueId);
157 }
158
setDrmServiceListener(int uniqueId,const sp<IDrmServiceListener> & drmServiceListener)159 status_t DrmManagerService::setDrmServiceListener(
160 int uniqueId, const sp<IDrmServiceListener>& drmServiceListener) {
161 ALOGV("Entering setDrmServiceListener");
162 mDrmManager->setDrmServiceListener(uniqueId, drmServiceListener);
163 return DRM_NO_ERROR;
164 }
165
getConstraints(int uniqueId,const String8 * path,const int action)166 DrmConstraints* DrmManagerService::getConstraints(
167 int uniqueId, const String8* path, const int action) {
168 ALOGV("Entering getConstraints from content");
169 return mDrmManager->getConstraints(uniqueId, path, action);
170 }
171
getMetadata(int uniqueId,const String8 * path)172 DrmMetadata* DrmManagerService::getMetadata(int uniqueId, const String8* path) {
173 ALOGV("Entering getMetadata from content");
174 return mDrmManager->getMetadata(uniqueId, path);
175 }
176
canHandle(int uniqueId,const String8 & path,const String8 & mimeType)177 bool DrmManagerService::canHandle(int uniqueId, const String8& path, const String8& mimeType) {
178 ALOGV("Entering canHandle");
179 return mDrmManager->canHandle(uniqueId, path, mimeType);
180 }
181
processDrmInfo(int uniqueId,const DrmInfo * drmInfo)182 DrmInfoStatus* DrmManagerService::processDrmInfo(int uniqueId, const DrmInfo* drmInfo) {
183 ALOGV("Entering processDrmInfo");
184 return mDrmManager->processDrmInfo(uniqueId, drmInfo);
185 }
186
acquireDrmInfo(int uniqueId,const DrmInfoRequest * drmInfoRequest)187 DrmInfo* DrmManagerService::acquireDrmInfo(int uniqueId, const DrmInfoRequest* drmInfoRequest) {
188 ALOGV("Entering acquireDrmInfo");
189 return mDrmManager->acquireDrmInfo(uniqueId, drmInfoRequest);
190 }
191
saveRights(int uniqueId,const DrmRights & drmRights,const String8 & rightsPath,const String8 & contentPath)192 status_t DrmManagerService::saveRights(
193 int uniqueId, const DrmRights& drmRights,
194 const String8& rightsPath, const String8& contentPath) {
195 ALOGV("Entering saveRights");
196 return mDrmManager->saveRights(uniqueId, drmRights, rightsPath, contentPath);
197 }
198
getOriginalMimeType(int uniqueId,const String8 & path,int fd)199 String8 DrmManagerService::getOriginalMimeType(int uniqueId, const String8& path, int fd) {
200 ALOGV("Entering getOriginalMimeType");
201 return mDrmManager->getOriginalMimeType(uniqueId, path, fd);
202 }
203
getDrmObjectType(int uniqueId,const String8 & path,const String8 & mimeType)204 int DrmManagerService::getDrmObjectType(
205 int uniqueId, const String8& path, const String8& mimeType) {
206 ALOGV("Entering getDrmObjectType");
207 return mDrmManager->getDrmObjectType(uniqueId, path, mimeType);
208 }
209
checkRightsStatus(int uniqueId,const String8 & path,int action)210 int DrmManagerService::checkRightsStatus(
211 int uniqueId, const String8& path, int action) {
212 ALOGV("Entering checkRightsStatus");
213 return mDrmManager->checkRightsStatus(uniqueId, path, action);
214 }
215
consumeRights(int uniqueId,sp<DecryptHandle> & decryptHandle,int action,bool reserve)216 status_t DrmManagerService::consumeRights(
217 int uniqueId, sp<DecryptHandle>& decryptHandle, int action, bool reserve) {
218 ALOGV("Entering consumeRights");
219 if (!isProtectedCallAllowed(CONSUME_RIGHTS)) {
220 return DRM_ERROR_NO_PERMISSION;
221 }
222 return mDrmManager->consumeRights(uniqueId, decryptHandle, action, reserve);
223 }
224
setPlaybackStatus(int uniqueId,sp<DecryptHandle> & decryptHandle,int playbackStatus,int64_t position)225 status_t DrmManagerService::setPlaybackStatus(
226 int uniqueId, sp<DecryptHandle>& decryptHandle, int playbackStatus, int64_t position) {
227 ALOGV("Entering setPlaybackStatus");
228 if (!isProtectedCallAllowed(SET_PLAYBACK_STATUS)) {
229 return DRM_ERROR_NO_PERMISSION;
230 }
231 return mDrmManager->setPlaybackStatus(uniqueId, decryptHandle, playbackStatus, position);
232 }
233
validateAction(int uniqueId,const String8 & path,int action,const ActionDescription & description)234 bool DrmManagerService::validateAction(
235 int uniqueId, const String8& path,
236 int action, const ActionDescription& description) {
237 ALOGV("Entering validateAction");
238 return mDrmManager->validateAction(uniqueId, path, action, description);
239 }
240
removeRights(int uniqueId,const String8 & path)241 status_t DrmManagerService::removeRights(int uniqueId, const String8& path) {
242 ALOGV("Entering removeRights");
243 return mDrmManager->removeRights(uniqueId, path);
244 }
245
removeAllRights(int uniqueId)246 status_t DrmManagerService::removeAllRights(int uniqueId) {
247 ALOGV("Entering removeAllRights");
248 return mDrmManager->removeAllRights(uniqueId);
249 }
250
openConvertSession(int uniqueId,const String8 & mimeType)251 int DrmManagerService::openConvertSession(int uniqueId, const String8& mimeType) {
252 ALOGV("Entering openConvertSession");
253 return mDrmManager->openConvertSession(uniqueId, mimeType);
254 }
255
convertData(int uniqueId,int convertId,const DrmBuffer * inputData)256 DrmConvertedStatus* DrmManagerService::convertData(
257 int uniqueId, int convertId, const DrmBuffer* inputData) {
258 ALOGV("Entering convertData");
259 return mDrmManager->convertData(uniqueId, convertId, inputData);
260 }
261
closeConvertSession(int uniqueId,int convertId)262 DrmConvertedStatus* DrmManagerService::closeConvertSession(int uniqueId, int convertId) {
263 ALOGV("Entering closeConvertSession");
264 return mDrmManager->closeConvertSession(uniqueId, convertId);
265 }
266
getAllSupportInfo(int uniqueId,int * length,DrmSupportInfo ** drmSupportInfoArray)267 status_t DrmManagerService::getAllSupportInfo(
268 int uniqueId, int* length, DrmSupportInfo** drmSupportInfoArray) {
269 ALOGV("Entering getAllSupportInfo");
270 return mDrmManager->getAllSupportInfo(uniqueId, length, drmSupportInfoArray);
271 }
272
openDecryptSession(int uniqueId,int fd,off64_t offset,off64_t length,const char * mime)273 sp<DecryptHandle> DrmManagerService::openDecryptSession(
274 int uniqueId, int fd, off64_t offset, off64_t length, const char* mime) {
275 ALOGV("Entering DrmManagerService::openDecryptSession");
276 if (isProtectedCallAllowed(OPEN_DECRYPT_SESSION)) {
277 return mDrmManager->openDecryptSession(uniqueId, fd, offset, length, mime);
278 }
279
280 return NULL;
281 }
282
openDecryptSession(int uniqueId,const char * uri,const char * mime)283 sp<DecryptHandle> DrmManagerService::openDecryptSession(
284 int uniqueId, const char* uri, const char* mime) {
285 ALOGV("Entering DrmManagerService::openDecryptSession with uri");
286 if (isProtectedCallAllowed(OPEN_DECRYPT_SESSION)) {
287 return mDrmManager->openDecryptSession(uniqueId, uri, mime);
288 }
289
290 return NULL;
291 }
292
openDecryptSession(int uniqueId,const DrmBuffer & buf,const String8 & mimeType)293 sp<DecryptHandle> DrmManagerService::openDecryptSession(
294 int uniqueId, const DrmBuffer& buf, const String8& mimeType) {
295 ALOGV("Entering DrmManagerService::openDecryptSession for streaming");
296 if (isProtectedCallAllowed(OPEN_DECRYPT_SESSION)) {
297 return mDrmManager->openDecryptSession(uniqueId, buf, mimeType);
298 }
299
300 return NULL;
301 }
302
closeDecryptSession(int uniqueId,sp<DecryptHandle> & decryptHandle)303 status_t DrmManagerService::closeDecryptSession(int uniqueId, sp<DecryptHandle>& decryptHandle) {
304 ALOGV("Entering closeDecryptSession");
305 if (!isProtectedCallAllowed(CLOSE_DECRYPT_SESSION)) {
306 return DRM_ERROR_NO_PERMISSION;
307 }
308 return mDrmManager->closeDecryptSession(uniqueId, decryptHandle);
309 }
310
initializeDecryptUnit(int uniqueId,sp<DecryptHandle> & decryptHandle,int decryptUnitId,const DrmBuffer * headerInfo)311 status_t DrmManagerService::initializeDecryptUnit(int uniqueId, sp<DecryptHandle>& decryptHandle,
312 int decryptUnitId, const DrmBuffer* headerInfo) {
313 ALOGV("Entering initializeDecryptUnit");
314 if (!isProtectedCallAllowed(INITIALIZE_DECRYPT_UNIT)) {
315 return DRM_ERROR_NO_PERMISSION;
316 }
317 return mDrmManager->initializeDecryptUnit(uniqueId,decryptHandle, decryptUnitId, headerInfo);
318 }
319
decrypt(int uniqueId,sp<DecryptHandle> & decryptHandle,int decryptUnitId,const DrmBuffer * encBuffer,DrmBuffer ** decBuffer,DrmBuffer * IV)320 status_t DrmManagerService::decrypt(
321 int uniqueId, sp<DecryptHandle>& decryptHandle, int decryptUnitId,
322 const DrmBuffer* encBuffer, DrmBuffer** decBuffer, DrmBuffer* IV) {
323 ALOGV("Entering decrypt");
324 if (!isProtectedCallAllowed(DECRYPT)) {
325 return DRM_ERROR_NO_PERMISSION;
326 }
327 return mDrmManager->decrypt(uniqueId, decryptHandle, decryptUnitId, encBuffer, decBuffer, IV);
328 }
329
finalizeDecryptUnit(int uniqueId,sp<DecryptHandle> & decryptHandle,int decryptUnitId)330 status_t DrmManagerService::finalizeDecryptUnit(
331 int uniqueId, sp<DecryptHandle>& decryptHandle, int decryptUnitId) {
332 ALOGV("Entering finalizeDecryptUnit");
333 if (!isProtectedCallAllowed(FINALIZE_DECRYPT_UNIT)) {
334 return DRM_ERROR_NO_PERMISSION;
335 }
336 return mDrmManager->finalizeDecryptUnit(uniqueId, decryptHandle, decryptUnitId);
337 }
338
pread(int uniqueId,sp<DecryptHandle> & decryptHandle,void * buffer,ssize_t numBytes,off64_t offset)339 ssize_t DrmManagerService::pread(int uniqueId, sp<DecryptHandle>& decryptHandle,
340 void* buffer, ssize_t numBytes, off64_t offset) {
341 ALOGV("Entering pread");
342 if (!isProtectedCallAllowed(PREAD)) {
343 return DRM_ERROR_NO_PERMISSION;
344 }
345 return mDrmManager->pread(uniqueId, decryptHandle, buffer, numBytes, offset);
346 }
347
dump(int fd,const Vector<String16> & args)348 status_t DrmManagerService::dump(int fd, const Vector<String16>& args)
349 {
350 const size_t SIZE = 256;
351 char buffer[SIZE];
352 String8 result;
353 if (checkCallingPermission(String16("android.permission.DUMP")) == false) {
354 snprintf(buffer, SIZE, "Permission Denial: "
355 "can't dump DrmManagerService from pid=%d, uid=%d\n",
356 IPCThreadState::self()->getCallingPid(),
357 IPCThreadState::self()->getCallingUid());
358 result.append(buffer);
359 } else {
360 #if DRM_MEMORY_LEAK_TRACK
361 bool dumpMem = false;
362 for (size_t i = 0; i < args.size(); i++) {
363 if (args[i] == String16("-m")) {
364 dumpMem = true;
365 }
366 }
367 if (dumpMem) {
368 result.append("\nDumping memory:\n");
369 std::string s = dumpMemoryAddresses(100 /* limit */);
370 result.append(s.c_str(), s.size());
371 }
372 #else
373 (void)args;
374 #endif
375 }
376 write(fd, result.string(), result.size());
377 return NO_ERROR;
378 }
379
380