Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3ece6623 authored by George Chan's avatar George Chan
Browse files

Enforce access checks for ADB shell commands. 

Test: ATBD
Bug: 427468440
Flag: android.security.aapm_feature_usb_data_protection
Change-Id: If83112e3cd3dc4d18d713728455c8cdbcef45f14
parent 25e66006

services/core/java/com/android/server/security/advancedprotection/AdvancedProtectionService.java

+18 −5
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ import android.os.Handler; 
import android.os.IBinder;

import android.os.Looper;

import android.os.Message;

import android.os.ParcelFileDescriptor;

import android.os.PermissionEnforcer;

import android.os.RemoteException;

import android.os.ResultReceiver;
@@ -380,12 +381,24 @@ public class AdvancedProtectionService extends IAdvancedProtectionService.Stub { 
        }

    }



    /**

     * Handles shell commands. This method is used instead of the deprecated {@code onShellCommand}

     * to ensure that the caller is either the shell or root user, enforcing access checks for ADB

     * commands.

     */

    @Override

    public void onShellCommand(FileDescriptor in, FileDescriptor out,

            FileDescriptor err, @NonNull String[] args, ShellCallback callback,

            @NonNull ResultReceiver resultReceiver) {

        (new AdvancedProtectionShellCommand(this))

                .exec(this, in, out, err, args, callback, resultReceiver);

    public int handleShellCommand(

            @NonNull ParcelFileDescriptor in,

            @NonNull ParcelFileDescriptor out,

            @NonNull ParcelFileDescriptor err,

            @NonNull String[] args) {

        return (new AdvancedProtectionShellCommand(this))

                .exec(

                        this,

                        in.getFileDescriptor(),

                        out.getFileDescriptor(),

                        err.getFileDescriptor(),

                        args);

    }



    @Override