From 0a738d950423c50ea066a0229cce485d41585653 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Wed, 23 Sep 2020 17:00:20 -0700 Subject: [PATCH] Chanage uid to userId where it denotes an Android user id. This patch changes the variable name `uid` to `userId` where it denotes an Android user id. This makes it harder to mistake the user id for an actual UID. Test: Trivial refactoring no logical changes. Bug: 163636858 Change-Id: I9e240367bcd30bbfa1816014a7f44bbcb58ede4b --- .../gatekeeper/IGateKeeperService.aidl | 20 +++--- gatekeeperd/gatekeeperd.cpp | 65 ++++++++++--------- 2 files changed, 43 insertions(+), 42 deletions(-) diff --git a/gatekeeperd/binder/android/service/gatekeeper/IGateKeeperService.aidl b/gatekeeperd/binder/android/service/gatekeeper/IGateKeeperService.aidl index 57adaba07..4646efc06 100644 --- a/gatekeeperd/binder/android/service/gatekeeper/IGateKeeperService.aidl +++ b/gatekeeperd/binder/android/service/gatekeeper/IGateKeeperService.aidl @@ -30,7 +30,7 @@ import android.service.gatekeeper.GateKeeperResponse; interface IGateKeeperService { /** * Enrolls a password, returning the handle to the enrollment to be stored locally. - * @param uid The Android user ID associated to this enrollment + * @param userId The Android user ID associated to this enrollment * @param currentPasswordHandle The previously enrolled handle, or null if none * @param currentPassword The previously enrolled plaintext password, or null if none. * If provided, must verify against the currentPasswordHandle. @@ -38,22 +38,22 @@ interface IGateKeeperService { * upon success. * @return an EnrollResponse or null on failure */ - GateKeeperResponse enroll(int uid, in @nullable byte[] currentPasswordHandle, + GateKeeperResponse enroll(int userId, in @nullable byte[] currentPasswordHandle, in @nullable byte[] currentPassword, in byte[] desiredPassword); /** * Verifies an enrolled handle against a provided, plaintext blob. - * @param uid The Android user ID associated to this enrollment + * @param userId The Android user ID associated to this enrollment * @param enrolledPasswordHandle The handle against which the provided password will be * verified. * @param The plaintext blob to verify against enrolledPassword. * @return a VerifyResponse, or null on failure. */ - GateKeeperResponse verify(int uid, in byte[] enrolledPasswordHandle, in byte[] providedPassword); + GateKeeperResponse verify(int userId, in byte[] enrolledPasswordHandle, in byte[] providedPassword); /** * Verifies an enrolled handle against a provided, plaintext blob. - * @param uid The Android user ID associated to this enrollment + * @param userId The Android user ID associated to this enrollment * @param challenge a challenge to authenticate agaisnt the device credential. If successful * authentication occurs, this value will be written to the returned * authentication attestation. @@ -62,22 +62,22 @@ interface IGateKeeperService { * @param The plaintext blob to verify against enrolledPassword. * @return a VerifyResponse with an attestation, or null on failure. */ - GateKeeperResponse verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle, + GateKeeperResponse verifyChallenge(int userId, long challenge, in byte[] enrolledPasswordHandle, in byte[] providedPassword); /** * Retrieves the secure identifier for the user with the provided Android ID, * or 0 if none is found. - * @param uid the Android user id + * @param userId the Android user id */ - long getSecureUserId(int uid); + long getSecureUserId(int userId); /** * Clears secure user id associated with the provided Android ID. * Must be called when password is set to NONE. - * @param uid the Android user id. + * @param userId the Android user id. */ - void clearSecureUserId(int uid); + void clearSecureUserId(int userId); /** * Notifies gatekeeper that device setup has been completed and any potentially still existing diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp index c81a80ef3..b982dbcf6 100644 --- a/gatekeeperd/gatekeeperd.cpp +++ b/gatekeeperd/gatekeeperd.cpp @@ -76,9 +76,9 @@ public: virtual ~GateKeeperProxy() { } - void store_sid(uint32_t uid, uint64_t sid) { + void store_sid(uint32_t userId, uint64_t sid) { char filename[21]; - snprintf(filename, sizeof(filename), "%u", uid); + snprintf(filename, sizeof(filename), "%u", userId); int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); if (fd < 0) { ALOGE("could not open file: %s: %s", filename, strerror(errno)); @@ -117,18 +117,18 @@ public: return false; } - void maybe_store_sid(uint32_t uid, uint64_t sid) { + void maybe_store_sid(uint32_t userId, uint64_t sid) { char filename[21]; - snprintf(filename, sizeof(filename), "%u", uid); + snprintf(filename, sizeof(filename), "%u", userId); if (access(filename, F_OK) == -1) { - store_sid(uid, sid); + store_sid(userId, sid); } } - uint64_t read_sid(uint32_t uid) { + uint64_t read_sid(uint32_t userId) { char filename[21]; uint64_t sid; - snprintf(filename, sizeof(filename), "%u", uid); + snprintf(filename, sizeof(filename), "%u", userId); int fd = open(filename, O_RDONLY); if (fd < 0) return 0; read(fd, &sid, sizeof(sid)); @@ -136,30 +136,30 @@ public: return sid; } - void clear_sid(uint32_t uid) { + void clear_sid(uint32_t userId) { char filename[21]; - snprintf(filename, sizeof(filename), "%u", uid); + snprintf(filename, sizeof(filename), "%u", userId); if (remove(filename) < 0) { ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno)); - store_sid(uid, 0); + store_sid(userId, 0); } } - // This should only be called on uids being passed to the GateKeeper HAL. It ensures that + // This should only be called on userIds being passed to the GateKeeper HAL. It ensures that // secure storage shared across a GSI image and a host image will not overlap. - uint32_t adjust_uid(uint32_t uid) { + uint32_t adjust_userId(uint32_t userId) { static constexpr uint32_t kGsiOffset = 1000000; - CHECK(uid < kGsiOffset); + CHECK(userId < kGsiOffset); CHECK(hw_device != nullptr); if (is_running_gsi) { - return uid + kGsiOffset; + return userId + kGsiOffset; } - return uid; + return userId; } #define GK_ERROR *gkResponse = GKResponse::error(), Status::ok() - Status enroll(int32_t uid, const std::optional>& currentPasswordHandle, + Status enroll(int32_t userId, const std::optional>& currentPasswordHandle, const std::optional>& currentPassword, const std::vector& desiredPassword, GKResponse* gkResponse) override { IPCThreadState* ipc = IPCThreadState::self(); @@ -198,9 +198,10 @@ public: android::hardware::hidl_vec newPwd; newPwd.setToExternal(const_cast(desiredPassword.data()), desiredPassword.size()); - uint32_t hw_uid = adjust_uid(uid); + uint32_t hw_userId = adjust_userId(userId); Return hwRes = hw_device->enroll( - hw_uid, curPwdHandle, curPwd, newPwd, [&gkResponse](const GatekeeperResponse& rsp) { + hw_userId, curPwdHandle, curPwd, newPwd, + [&gkResponse](const GatekeeperResponse& rsp) { if (rsp.code >= GatekeeperStatusCode::STATUS_OK) { *gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()}); } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && @@ -225,12 +226,12 @@ public: const gatekeeper::password_handle_t* handle = reinterpret_cast( gkResponse->payload().data()); - store_sid(uid, handle->user_id); + store_sid(userId, handle->user_id); GKResponse verifyResponse; // immediately verify this password so we don't ask the user to enter it again // if they just created it. - auto status = verify(uid, gkResponse->payload(), desiredPassword, &verifyResponse); + auto status = verify(userId, gkResponse->payload(), desiredPassword, &verifyResponse); if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) { LOG(ERROR) << "Failed to verify password after enrolling"; } @@ -239,13 +240,13 @@ public: return Status::ok(); } - Status verify(int32_t uid, const ::std::vector& enrolledPasswordHandle, + Status verify(int32_t userId, const ::std::vector& enrolledPasswordHandle, const ::std::vector& providedPassword, GKResponse* gkResponse) override { - return verifyChallenge(uid, 0 /* challenge */, enrolledPasswordHandle, providedPassword, + return verifyChallenge(userId, 0 /* challenge */, enrolledPasswordHandle, providedPassword, gkResponse); } - Status verifyChallenge(int32_t uid, int64_t challenge, + Status verifyChallenge(int32_t userId, int64_t challenge, const std::vector& enrolledPasswordHandle, const std::vector& providedPassword, GKResponse* gkResponse) override { @@ -269,7 +270,7 @@ public: reinterpret_cast( enrolledPasswordHandle.data()); - uint32_t hw_uid = adjust_uid(uid); + uint32_t hw_userId = adjust_userId(userId); android::hardware::hidl_vec curPwdHandle; curPwdHandle.setToExternal(const_cast(enrolledPasswordHandle.data()), enrolledPasswordHandle.size()); @@ -278,7 +279,7 @@ public: providedPassword.size()); Return hwRes = hw_device->verify( - hw_uid, challenge, curPwdHandle, enteredPwd, + hw_userId, challenge, curPwdHandle, enteredPwd, [&gkResponse](const GatekeeperResponse& rsp) { if (rsp.code >= GatekeeperStatusCode::STATUS_OK) { *gkResponse = GKResponse::ok( @@ -315,18 +316,18 @@ public: } } - maybe_store_sid(uid, handle->user_id); + maybe_store_sid(userId, handle->user_id); } return Status::ok(); } - Status getSecureUserId(int32_t uid, int64_t* sid) override { - *sid = read_sid(uid); + Status getSecureUserId(int32_t userId, int64_t* sid) override { + *sid = read_sid(userId); return Status::ok(); } - Status clearSecureUserId(int32_t uid) override { + Status clearSecureUserId(int32_t userId) override { IPCThreadState* ipc = IPCThreadState::self(); const int calling_pid = ipc->getCallingPid(); const int calling_uid = ipc->getCallingUid(); @@ -334,11 +335,11 @@ public: ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid); return Status::ok(); } - clear_sid(uid); + clear_sid(userId); if (hw_device) { - uint32_t hw_uid = adjust_uid(uid); - hw_device->deleteUser(hw_uid, [] (const GatekeeperResponse &){}); + uint32_t hw_userId = adjust_userId(userId); + hw_device->deleteUser(hw_userId, [](const GatekeeperResponse&) {}); } return Status::ok(); }