Loading DnsResolverService.cpp +8 −38 Original line number Original line Diff line number Diff line Loading @@ -24,7 +24,6 @@ #include <BinderUtil.h> #include <BinderUtil.h> #include <android-base/stringprintf.h> #include <android-base/stringprintf.h> #include <android-base/strings.h> #include <android-base/strings.h> #include <android/binder_ibinder_platform.h> #include <android/binder_manager.h> #include <android/binder_manager.h> #include <android/binder_process.h> #include <android/binder_process.h> #include <netdutils/DumpWriter.h> #include <netdutils/DumpWriter.h> Loading Loading @@ -83,10 +82,8 @@ binder_status_t DnsResolverService::start() { // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now. // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now. std::shared_ptr<DnsResolverService> resolverService = std::shared_ptr<DnsResolverService> resolverService = ::ndk::SharedRefBase::make<DnsResolverService>(); ::ndk::SharedRefBase::make<DnsResolverService>(); auto binder = resolverService->asBinder(); binder_status_t status = AServiceManager_addService(resolverService->asBinder().get(), getServiceName()); if (AIBinder_setRequestingSid) AIBinder_setRequestingSid(binder.get(), true); binder_status_t status = AServiceManager_addService(binder.get(), getServiceName()); if (status != STATUS_OK) { if (status != STATUS_OK) { return status; return status; } } Loading Loading @@ -176,45 +173,18 @@ binder_status_t DnsResolverService::dump(int fd, const char** args, uint32_t num return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } } namespace { constexpr char SELINUX_LABEL_SU[] = "u:r:su:s0"; inline bool isRootSecurityContext(const char* sid) { // Type su is used for su processes, as well as for adbd and adb shell after performing an adb // root command. return !strcmp(sid, SELINUX_LABEL_SU); } ::ndk::ScopedAStatus checkCaCertificatePermission() { uid_t uid = AIBinder_getCallingUid(); if (uid != AID_ROOT) { auto err = StringPrintf("UID %d is not authorized to set CA certificate", uid); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } // Check security context if it is supported by platform if (!AIBinder_getCallingSid) { return ::ndk::ScopedAStatus(AStatus_newOk()); } const char* sid = AIBinder_getCallingSid(); if (!sid || !isRootSecurityContext(sid)) { auto err = StringPrintf("sid %s is not authorized to set CA certificate", sid); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } return ::ndk::ScopedAStatus(AStatus_newOk()); } } // namespace ::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration( ::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration( const ResolverParamsParcel& resolverParams) { const ResolverParamsParcel& resolverParams) { // Locking happens in PrivateDnsConfiguration and res_* functions. // Locking happens in PrivateDnsConfiguration and res_* functions. ENFORCE_INTERNAL_PERMISSIONS(); ENFORCE_INTERNAL_PERMISSIONS(); // TODO@: Switch to selinux based permission check if AIBinder_getCallingSid and // AIBinder_setRequestingSid can be supported by libbinder_dnk (b/159135973). uid_t uid = AIBinder_getCallingUid(); // CAUTION: caCertificate should NOT be used except for internal testing. // CAUTION: caCertificate should NOT be used except for internal testing. if (resolverParams.caCertificate.size() != 0) { if (resolverParams.caCertificate.size() != 0 && uid != AID_ROOT) { auto status = checkCaCertificatePermission(); auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid); if (!status.isOk()) return status; return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } } // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660 // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660 Loading Loading
DnsResolverService.cpp +8 −38 Original line number Original line Diff line number Diff line Loading @@ -24,7 +24,6 @@ #include <BinderUtil.h> #include <BinderUtil.h> #include <android-base/stringprintf.h> #include <android-base/stringprintf.h> #include <android-base/strings.h> #include <android-base/strings.h> #include <android/binder_ibinder_platform.h> #include <android/binder_manager.h> #include <android/binder_manager.h> #include <android/binder_process.h> #include <android/binder_process.h> #include <netdutils/DumpWriter.h> #include <netdutils/DumpWriter.h> Loading Loading @@ -83,10 +82,8 @@ binder_status_t DnsResolverService::start() { // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now. // NetdNativeService does call disableBackgroundScheduling currently, so it is fine now. std::shared_ptr<DnsResolverService> resolverService = std::shared_ptr<DnsResolverService> resolverService = ::ndk::SharedRefBase::make<DnsResolverService>(); ::ndk::SharedRefBase::make<DnsResolverService>(); auto binder = resolverService->asBinder(); binder_status_t status = AServiceManager_addService(resolverService->asBinder().get(), getServiceName()); if (AIBinder_setRequestingSid) AIBinder_setRequestingSid(binder.get(), true); binder_status_t status = AServiceManager_addService(binder.get(), getServiceName()); if (status != STATUS_OK) { if (status != STATUS_OK) { return status; return status; } } Loading Loading @@ -176,45 +173,18 @@ binder_status_t DnsResolverService::dump(int fd, const char** args, uint32_t num return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } } namespace { constexpr char SELINUX_LABEL_SU[] = "u:r:su:s0"; inline bool isRootSecurityContext(const char* sid) { // Type su is used for su processes, as well as for adbd and adb shell after performing an adb // root command. return !strcmp(sid, SELINUX_LABEL_SU); } ::ndk::ScopedAStatus checkCaCertificatePermission() { uid_t uid = AIBinder_getCallingUid(); if (uid != AID_ROOT) { auto err = StringPrintf("UID %d is not authorized to set CA certificate", uid); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } // Check security context if it is supported by platform if (!AIBinder_getCallingSid) { return ::ndk::ScopedAStatus(AStatus_newOk()); } const char* sid = AIBinder_getCallingSid(); if (!sid || !isRootSecurityContext(sid)) { auto err = StringPrintf("sid %s is not authorized to set CA certificate", sid); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } return ::ndk::ScopedAStatus(AStatus_newOk()); } } // namespace ::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration( ::ndk::ScopedAStatus DnsResolverService::setResolverConfiguration( const ResolverParamsParcel& resolverParams) { const ResolverParamsParcel& resolverParams) { // Locking happens in PrivateDnsConfiguration and res_* functions. // Locking happens in PrivateDnsConfiguration and res_* functions. ENFORCE_INTERNAL_PERMISSIONS(); ENFORCE_INTERNAL_PERMISSIONS(); // TODO@: Switch to selinux based permission check if AIBinder_getCallingSid and // AIBinder_setRequestingSid can be supported by libbinder_dnk (b/159135973). uid_t uid = AIBinder_getCallingUid(); // CAUTION: caCertificate should NOT be used except for internal testing. // CAUTION: caCertificate should NOT be used except for internal testing. if (resolverParams.caCertificate.size() != 0) { if (resolverParams.caCertificate.size() != 0 && uid != AID_ROOT) { auto status = checkCaCertificatePermission(); auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid); if (!status.isOk()) return status; return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } } // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660 // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660 Loading
