Loading DnsResolverService.cpp +7 −0 Original line number Diff line number Diff line Loading @@ -166,6 +166,13 @@ binder_status_t DnsResolverService::dump(int fd, const char**, uint32_t) { const ResolverParamsParcel& resolverParams) { // Locking happens in PrivateDnsConfiguration and res_* functions. ENFORCE_INTERNAL_PERMISSIONS(); uid_t uid = AIBinder_getCallingUid(); if (resolverParams.caCertificate.size() != 0 && uid == AID_SYSTEM) { auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660 auto entry = gDnsResolverLog.newEntry() Loading DnsTlsSocket.cpp +3 −1 Original line number Diff line number Diff line Loading @@ -160,7 +160,9 @@ bool DnsTlsSocket::initialize() { // For discussion of alternative, sustainable approaches see b/71909242. if (RESOLV_INJECT_CA_CERTIFICATE && !mServer.certificate.empty()) { // Inject test CA certs from ResolverParamsParcel.caCertificate for internal testing. LOG(WARNING) << "test CA certificate is valid"; // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM, and on // debug builds. LOG(WARNING) << "Setting test CA certificate. This should never happen in production code."; if (!setTestCaCertificate()) { LOG(ERROR) << "Failed to set test CA certificate"; return false; Loading Loading
DnsResolverService.cpp +7 −0 Original line number Diff line number Diff line Loading @@ -166,6 +166,13 @@ binder_status_t DnsResolverService::dump(int fd, const char**, uint32_t) { const ResolverParamsParcel& resolverParams) { // Locking happens in PrivateDnsConfiguration and res_* functions. ENFORCE_INTERNAL_PERMISSIONS(); uid_t uid = AIBinder_getCallingUid(); if (resolverParams.caCertificate.size() != 0 && uid == AID_SYSTEM) { auto err = StringPrintf("UID %d is not authorized to set a non-empty CA certificate", uid); return ::ndk::ScopedAStatus(AStatus_fromExceptionCodeWithMessage(EX_SECURITY, err.c_str())); } // TODO: Remove this log after AIDL gen_log supporting more types, b/129732660 auto entry = gDnsResolverLog.newEntry() Loading
DnsTlsSocket.cpp +3 −1 Original line number Diff line number Diff line Loading @@ -160,7 +160,9 @@ bool DnsTlsSocket::initialize() { // For discussion of alternative, sustainable approaches see b/71909242. if (RESOLV_INJECT_CA_CERTIFICATE && !mServer.certificate.empty()) { // Inject test CA certs from ResolverParamsParcel.caCertificate for internal testing. LOG(WARNING) << "test CA certificate is valid"; // This is only allowed by DnsResolverService if the caller is not AID_SYSTEM, and on // debug builds. LOG(WARNING) << "Setting test CA certificate. This should never happen in production code."; if (!setTestCaCertificate()) { LOG(ERROR) << "Failed to set test CA certificate"; return false; Loading
