Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1ad90da9 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Revert "Check security context in CA certificate injection"" am: 2dd12799 

Original change: https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1435260

Change-Id: Ib4afdc3377ba6821ecefd25f98a22acfba321eb4
parents 02fd4ee6 2dd12799

DnsResolverService.cpp

+8 −38
Original line number Diff line number Diff line
@@ -24,7 +24,6 @@ 
#include <BinderUtil.h>

#include <android-base/stringprintf.h>

#include <android-base/strings.h>

#include <android/binder_ibinder_platform.h>

#include <android/binder_manager.h>

#include <android/binder_process.h>

#include <netdutils/DumpWriter.h>
@@ -83,10 +82,8 @@ binder_status_t DnsResolverService::start() { 
    // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now.

    std::shared_ptr<DnsResolverService> resolverService =

            ::ndk::SharedRefBase::make<DnsResolverService>();

    auto binder = resolverService->asBinder();



    if (AIBinder_setRequestingSid) AIBinder_setRequestingSid(binder.get(), true);

    binder_status_t status = AServiceManager_addService(binder.get(), getServiceName());

    binder_status_t status =

            AServiceManager_addService(resolverService->asBinder().get(), getServiceName());

    if (status != STATUS_OK) {

        return status;

    }
@@ -176,45 +173,18 @@ binder_status_t DnsResolverService::dump(int fd, const char** args, uint32_t num 
    return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

}



namespace {



constexpr char SELINUX_LABEL_SU[] = "u:r:su:s0";



inline bool isRootSecurityContext(const char* sid) {

    // Type su is used for su processes, as well as for adbd and adb shell after performing an adb

    // root command.

    return !strcmp(sid, SELINUX_LABEL_SU);

}



::ndk::ScopedAStatus checkCaCertificatePermission() {

    uid_t uid = AIBinder_getCallingUid();

    if (uid != AID_ROOT) {

        auto err = StringPrintf("UID %d is not authorized to set CA certificate", uid);

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    }

    // Check security context if it is supported by platform

    if (!AIBinder_getCallingSid) {

        return ::ndk::ScopedAStatus(AStatus_newOk());

    }

    const char* sid = AIBinder_getCallingSid();

    if (!sid || !isRootSecurityContext(sid)) {

        auto err = StringPrintf("sid %s is not authorized to set CA certificate", sid);

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    }

    return ::ndk::ScopedAStatus(AStatus_newOk());

}



}  // namespace



::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration(

        const ResolverParamsParcel& resolverParams) {

    // Locking happens in PrivateDnsConfiguration and res_* functions.

    ENFORCE_INTERNAL_PERMISSIONS();



    // TODO@: Switch to selinux based permission check if AIBinder_getCallingSid and

    //        AIBinder_setRequestingSid can be supported by libbinder_dnk (b/159135973).

    uid_t uid = AIBinder_getCallingUid();

    // CAUTION: caCertificate should NOT be used except for internal testing.

    if (resolverParams.caCertificate.size() != 0) {

        auto status = checkCaCertificatePermission();

        if (!status.isOk()) return status;

    if (resolverParams.caCertificate.size() != 0 && uid != AID_ROOT) {

        auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid);

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    }



    // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660