Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d404e0fc authored by Alice Wang's avatar Alice Wang
Browse files

Check permission to add accessor in servicemanager 

When a service is served via accessor.

Bug: 351790282
Test: atest vm_accessor_test
Change-Id: I71ff2fab9ccd783028bd37d6e450d7842aa50e2a
parent 9d04fe2c

cmds/servicemanager/ServiceManager.cpp

+26 −6
Original line number Diff line number Diff line
@@ -505,8 +505,9 @@ Status ServiceManager::addService(const std::string& name, const sp<IBinder>& bi 
        return Status::fromExceptionCode(Status::EX_SECURITY, "App UIDs cannot add services.");

    }



    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");

    std::optional<std::string> accessorName;

    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {

        return status;

    }



    if (binder == nullptr) {
@@ -888,8 +889,9 @@ Status ServiceManager::registerClientCallback(const std::string& name, const sp< 
    }



    auto ctx = mAccess->getCallingContext();

    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");

    std::optional<std::string> accessorName;

    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {

        return status;

    }



    auto serviceIt = mNameToService.find(name);
@@ -1051,8 +1053,9 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB 
    }



    auto ctx = mAccess->getCallingContext();

    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");

    std::optional<std::string> accessorName;

    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {

        return status;

    }



    auto serviceIt = mNameToService.find(name);
@@ -1110,6 +1113,23 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB 
    return Status::ok();

}



Status ServiceManager::canAddService(const Access::CallingContext& ctx, const std::string& name,

                                     std::optional<std::string>* accessor) {

    if (!mAccess->canAdd(ctx, name)) {

        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied for service.");

    }

#ifndef VENDORSERVICEMANAGER

    *accessor = getVintfAccessorName(name);

#endif

    if (accessor->has_value()) {

        if (!mAccess->canAdd(ctx, accessor->value())) {

            return Status::fromExceptionCode(Status::EX_SECURITY,

                                             "SELinux denied for the accessor of the service.");

        }

    }

    return Status::ok();

}



Status ServiceManager::canFindService(const Access::CallingContext& ctx, const std::string& name,

                                      std::optional<std::string>* accessor) {

    if (!mAccess->canFind(ctx, name)) {

cmds/servicemanager/ServiceManager.h

+2 −0
Original line number Diff line number Diff line
@@ -115,6 +115,8 @@ private: 


    os::Service tryGetService(const std::string& name, bool startIfNotFound);

    sp<IBinder> tryGetBinder(const std::string& name, bool startIfNotFound);

    binder::Status canAddService(const Access::CallingContext& ctx, const std::string& name,

                                 std::optional<std::string>* accessor);

    binder::Status canFindService(const Access::CallingContext& ctx, const std::string& name,

                                  std::optional<std::string>* accessor);