am d10035d5: Merge "Some hardening of isolated processes by restricting access to services." (887ffbea) · Commits · e / os / android_frameworks_base

cmds/servicemanager/service_manager.c

+18 −5

Original line number	Diff line number	Diff line
		@@ -90,6 +90,7 @@ struct svcinfo
		struct svcinfo *next;
		void *ptr;
		struct binder_death death;
		int allow_isolated;
		unsigned len;
		uint16_t name[0];
		};
		@@ -125,13 +126,21 @@ uint16_t svcmgr_id[] = {
		};


		void do_find_service(struct binder_state bs, uint16_t *s, unsigned len)
		void do_find_service(struct binder_state bs, uint16_t *s, unsigned len, unsigned uid)
		{
		struct svcinfo *si;
		si = find_svc(s, len);

		// ALOGI("check_service('%s') ptr = %p\n", str8(s), si ? si->ptr : 0);
		if (si && si->ptr) {
		if (!si->allow_isolated) {
		// If this service doesn't allow access from isolated processes,
		// then check the uid to see if it is isolated.
		unsigned appid = uid % AID_USER;
		if (appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END) {
		return 0;
		}
		}
		return si->ptr;
		} else {
		return 0;
		@@ -140,10 +149,11 @@ void do_find_service(struct binder_state bs, uint16_t *s, unsigned len)

		int do_add_service(struct binder_state *bs,
		uint16_t *s, unsigned len,
		void *ptr, unsigned uid)
		void *ptr, unsigned uid, int allow_isolated)
		{
		struct svcinfo *si;
		// ALOGI("add_service('%s',%p) uid=%d\n", str8(s), ptr, uid);
		//ALOGI("add_service('%s',%p,%s) uid=%d\n", str8(s), ptr,
		// allow_isolated ? "allow_isolated" : "!allow_isolated", uid);

		if (!ptr \|\| (len == 0) \|\| (len > 127))
		return -1;
		@@ -175,6 +185,7 @@ int do_add_service(struct binder_state *bs,
		si->name[len] = '\0';
		si->death.func = svcinfo_death;
		si->death.ptr = si;
		si->allow_isolated = allow_isolated;
		si->next = svclist;
		svclist = si;
		}
		@@ -194,6 +205,7 @@ int svcmgr_handler(struct binder_state *bs,
		unsigned len;
		void *ptr;
		uint32_t strict_policy;
		int allow_isolated;

		// ALOGI("target=%p code=%d pid=%d uid=%d\n",
		// txn->target, txn->code, txn->sender_pid, txn->sender_euid);
		@@ -217,7 +229,7 @@ int svcmgr_handler(struct binder_state *bs,
		case SVC_MGR_GET_SERVICE:
		case SVC_MGR_CHECK_SERVICE:
		s = bio_get_string16(msg, &len);
		ptr = do_find_service(bs, s, len);
		ptr = do_find_service(bs, s, len, txn->sender_euid);
		if (!ptr)
		break;
		bio_put_ref(reply, ptr);
		@@ -226,7 +238,8 @@ int svcmgr_handler(struct binder_state *bs,
		case SVC_MGR_ADD_SERVICE:
		s = bio_get_string16(msg, &len);
		ptr = bio_get_ref(msg);
		if (do_add_service(bs, s, len, ptr, txn->sender_euid))
		allow_isolated = bio_get_uint32(msg) ? 1 : 0;
		if (do_add_service(bs, s, len, ptr, txn->sender_euid, allow_isolated))
		return -1;
		break;

cmds/surfaceflinger/main_surfaceflinger.cpp

+1 −1

Original line number	Diff line number	Diff line
		@@ -20,6 +20,6 @@
		using namespace android;

		int main(int argc, char** argv) {
		SurfaceFlinger::publishAndJoinThreadPool();
		SurfaceFlinger::publishAndJoinThreadPool(true);
		return 0;
		}

core/java/android/os/IServiceManager.java

+2 −1

Original line number	Diff line number	Diff line
		@@ -45,7 +45,8 @@ public interface IServiceManager extends IInterface
		* Place a new @a service called @a name into the service
		* manager.
		*/
		public void addService(String name, IBinder service) throws RemoteException;
		public void addService(String name, IBinder service, boolean allowIsolated)
		throws RemoteException;

		/**
		* Return a list of all currently running services.

core/java/android/os/ServiceManager.java

+18 −1

Original line number	Diff line number	Diff line
		@@ -69,7 +69,24 @@ public final class ServiceManager {
		*/
		public static void addService(String name, IBinder service) {
		try {
		getIServiceManager().addService(name, service);
		getIServiceManager().addService(name, service, false);
		} catch (RemoteException e) {
		Log.e(TAG, "error in addService", e);
		}
		}

		/**
		* Place a new @a service called @a name into the service
		* manager.
		*
		* @param name the name of the new service
		* @param service the service object
		* @param allowIsolated set to true to allow isolated sandboxed processes
		* to access this service
		*/
		public static void addService(String name, IBinder service, boolean allowIsolated) {
		try {
		getIServiceManager().addService(name, service, allowIsolated);
		} catch (RemoteException e) {
		Log.e(TAG, "error in addService", e);
		}

core/java/android/os/ServiceManagerNative.java

+4 −2

Original line number	Diff line number	Diff line
		@@ -71,7 +71,8 @@ public abstract class ServiceManagerNative extends Binder implements IServiceMan
		data.enforceInterface(IServiceManager.descriptor);
		String name = data.readString();
		IBinder service = data.readStrongBinder();
		addService(name, service);
		boolean allowIsolated = data.readInt() != 0;
		addService(name, service, allowIsolated);
		return true;
		}

		@@ -136,13 +137,14 @@ class ServiceManagerProxy implements IServiceManager {
		return binder;
		}

		public void addService(String name, IBinder service)
		public void addService(String name, IBinder service, boolean allowIsolated)
		throws RemoteException {
		Parcel data = Parcel.obtain();
		Parcel reply = Parcel.obtain();
		data.writeInterfaceToken(IServiceManager.descriptor);
		data.writeString(name);
		data.writeStrongBinder(service);
		data.writeInt(allowIsolated ? 1 : 0);
		mRemote.transact(ADD_SERVICE_TRANSACTION, data, reply, 0);
		reply.recycle();
		data.recycle();