Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0335b360 authored by Alice Wang's avatar Alice Wang Committed by Automerger Merge Worker
Browse files

Merge "Check permission to add accessor in servicemanager" into main am: bbc53bc0 am: 18b15cce 

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/3197352



Change-Id: Id453c0787f7929aa02513ad20f38f687064a4590
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 5a0ca631 18b15cce

cmds/servicemanager/ServiceManager.cpp

+26 −6
Original line number Diff line number Diff line
@@ -505,8 +505,9 @@ Status ServiceManager::addService(const std::string& name, const sp<IBinder>& bi 
        return Status::fromExceptionCode(Status::EX_SECURITY, "App UIDs cannot add services.");

    }



    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");

    std::optional<std::string> accessorName;

    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {

        return status;

    }



    if (binder == nullptr) {
@@ -888,8 +889,9 @@ Status ServiceManager::registerClientCallback(const std::string& name, const sp< 
    }



    auto ctx = mAccess->getCallingContext();

    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");

    std::optional<std::string> accessorName;

    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {

        return status;

    }



    auto serviceIt = mNameToService.find(name);
@@ -1051,8 +1053,9 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB 
    }



    auto ctx = mAccess->getCallingContext();

    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");

    std::optional<std::string> accessorName;

    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {

        return status;

    }



    auto serviceIt = mNameToService.find(name);
@@ -1110,6 +1113,23 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB 
    return Status::ok();

}



Status ServiceManager::canAddService(const Access::CallingContext& ctx, const std::string& name,

                                     std::optional<std::string>* accessor) {

    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied for service.");

    }

#ifndef VENDORSERVICEMANAGER

    *accessor = getVintfAccessorName(name);

#endif

    if (accessor->has_value()) {

        if (!mAccess->canAdd(ctx, accessor->value())) {

            return Status::fromExceptionCode(Status::EX_SECURITY,

                                             "SELinux denied for the accessor of the service.");

        }

    }

    return Status::ok();

}



Status ServiceManager::canFindService(const Access::CallingContext& ctx, const std::string& name,

                                      std::optional<std::string>* accessor) {

    if (!mAccess->canFind(ctx, name)) {

cmds/servicemanager/ServiceManager.h

+2 −0
Original line number Diff line number Diff line
@@ -115,6 +115,8 @@ private: 


    os::Service tryGetService(const std::string& name, bool startIfNotFound);

    sp<IBinder> tryGetBinder(const std::string& name, bool startIfNotFound);

    binder::Status canAddService(const Access::CallingContext& ctx, const std::string& name,

                                 std::optional<std::string>* accessor);

    binder::Status canFindService(const Access::CallingContext& ctx, const std::string& name,

                                  std::optional<std::string>* accessor);