Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ced33fe authored by Martijn Coenen's avatar Martijn Coenen
Browse files

Only allow the system to bind to the hotword detection service. 

The hotword detection service is an isolated service which we want to
isolate from the rest of the system as much as possible. We don't want
to allow anybody but the system to bind it, not even its enclosing
application. For now special case the hotword detection service, until
we come up with a more generalized solution in T.

Bug: 181508704
Bug: 185746653
Test: local
Change-Id: Iea41383304e2632ff334a9719598db7510226c07
parent f379c17e

services/core/java/com/android/server/am/ActiveServices.java

+13 −0
Original line number Diff line number Diff line
@@ -69,6 +69,7 @@ import static com.android.server.am.ActivityManagerDebugConfig.POSTFIX_SERVICE_E 
import static com.android.server.am.ActivityManagerDebugConfig.TAG_AM;

import static com.android.server.am.ActivityManagerDebugConfig.TAG_WITH_CLASS_NAME;



import android.Manifest;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.UptimeMillisLong;
@@ -3068,6 +3069,18 @@ public final class ActiveServices { 
                        + ", uid=" + callingUid

                        + " requires " + r.permission);

                return new ServiceLookupResult(null, r.permission);

            } else if (Manifest.permission.BIND_HOTWORD_DETECTION_SERVICE.equals(r.permission)

                    && callingUid != Process.SYSTEM_UID) {

                // Hotword detection must run in its own sandbox, and we don't even trust

                // its enclosing application to bind to it - only the system.

                // TODO(b/185746653) remove this special case and generalize

                Slog.w(TAG, "Permission Denial: Accessing service " + r.shortInstanceName

                        + " from pid=" + callingPid

                        + ", uid=" + callingUid

                        + " requiring permission " + r.permission

                        + " can only be bound to from the system.");

                return new ServiceLookupResult(null, "can only be bound to "

                        + "by the system.");

            } else if (r.permission != null && callingPackage != null) {

                final int opCode = AppOpsManager.permissionToOpCode(r.permission);

                if (opCode != AppOpsManager.OP_NONE && mAm.getAppOpsManager().checkOpNoThrow(