Allow only AID_ROOT to inject certificate

    // Locking happens in PrivateDnsConfiguration and res_* functions.

    // Locking happens in PrivateDnsConfiguration and res_* functions.

    ENFORCE_INTERNAL_PERMISSIONS();

    ENFORCE_INTERNAL_PERMISSIONS();

    // TODO@: Switch to selinux based permission check if AIBinder_getCallingSid and

    //        AIBinder_setRequestingSid can be supported by libbinder_dnk (b/159135973).

    uid_t uid = AIBinder_getCallingUid();

    uid_t uid = AIBinder_getCallingUid();

    if (resolverParams.caCertificate.size() != 0 && uid == AID_SYSTEM) {

    // CAUTION: caCertificate should NOT be used except for internal testing.

    if (resolverParams.caCertificate.size() != 0 && uid != AID_ROOT) {

        auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid);

        auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid);

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

        return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str()));

    }

    }

    //

    //

    // For discussion of alternative, sustainable approaches see b/71909242.

    // For discussion of alternative, sustainable approaches see b/71909242.

    if (!mServer.certificate.empty()) {

    if (!mServer.certificate.empty()) {

        // Inject test CA certs from ResolverParamsParcel.caCertificate for internal testing.

        // Inject test CA certs from ResolverParamsParcel.caCertificate for INTERNAL TESTING ONLY.

        // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM

        // This is only allowed by DnsResolverService if the caller is AID_ROOT.

        LOG(WARNING) << "Setting test CA certificate. This should never happen in production code.";

        LOG(WARNING) << "Setting test CA certificate. This should never happen in production code.";

        if (!setTestCaCertificate()) {

        if (!setTestCaCertificate()) {

            LOG(ERROR) << "Failed to set test CA certificate";

            LOG(ERROR) << "Failed to set test CA certificate";

    EXPECT_FALSE(hasUncaughtPrivateDnsValidation(addr2));

    EXPECT_FALSE(hasUncaughtPrivateDnsValidation(addr2));

}

}

TEST_F(ResolverTest, PermissionCheckOnCertificateInjection) {

    ResolverParamsParcel parcel = DnsResponderClient::GetDefaultResolverParamsParcel();

    parcel.caCertificate = kCaCert;

    ASSERT_TRUE(mDnsClient.resolvService()->setResolverConfiguration(parcel).isOk());

    for (const uid_t uid : {AID_SYSTEM, TEST_UID}) {

        ScopedChangeUID scopedChangeUID(uid);

        auto status = mDnsClient.resolvService()->setResolverConfiguration(parcel);

        EXPECT_EQ(status.getExceptionCode(), EX_SECURITY);

    }

}

// Parameterized tests.

// Parameterized tests.

// TODO: Merge the existing tests as parameterized test if possible.

// TODO: Merge the existing tests as parameterized test if possible.

// TODO: Perhaps move parameterized tests to an independent file.

// TODO: Perhaps move parameterized tests to an independent file.

    const uid_t mSavedUid;

    const uid_t mSavedUid;

};

};

class ScopedChangeUID {

  public:

    ScopedChangeUID(uid_t testUid) : mTestUid(testUid), mSavedUid(getuid()) {

        EXPECT_TRUE(seteuid(mTestUid) == 0);

    };

    ~ScopedChangeUID() { EXPECT_TRUE(seteuid(mSavedUid) == 0); }

  private:

    const uid_t mTestUid;

    const uid_t mSavedUid;

};

struct DnsRecord {

struct DnsRecord {

    std::string host_name;  // host name

    std::string host_name;  // host name

    ns_type type;           // record type

    ns_type type;           // record type