Camera: Clear identity before access device policy manager

When cameraserver query device policy via CameraServiceProxy, the proxy service uses identity of cameraserver. It causes SecurityException and does not properly returns the actual query result. Bug: 290329527 Test: Manual test with TestDPC Change-Id: Ia02aab3276850c16a14b70c027bd03a17a601b8d
author: Kwangkyu Park <kk48.park@samsung.com> 2023-07-07 22:25:43 +0900
committer: Kwangkyu Park <kk48.park@samsung.com> 2023-07-08 01:28:02 +0900
commit: cf72d72cf7bfe49f5a35d6ea3c7bd14b0bbdd055 (patch)
tree: a3cbaa3fde938f474212e28a11e696329c7ea75d
parent: 9c30117b0b473a7b04d0e202d91e63d00830eefb (diff)
1 files changed, 17 insertions, 7 deletions
diff --git a/services/core/java/com/android/server/camera/CameraServiceProxy.java b/services/core/java/com/android/server/camera/CameraServiceProxy.java
index 5a3a3df180a6..2f354b386821 100644
--- a/services/core/java/com/android/server/camera/CameraServiceProxy.java
+++ b/services/core/java/com/android/server/camera/CameraServiceProxy.java
@@ -595,16 +595,26 @@ public class CameraServiceProxy extends SystemService
 
         @Override
         public boolean isCameraDisabled(int userId) {
-            DevicePolicyManager dpm = mContext.getSystemService(DevicePolicyManager.class);
-            if (dpm == null) {
-                Slog.e(TAG, "Failed to get the device policy manager service");
+            if (Binder.getCallingUid() != Process.CAMERASERVER_UID) {
+                Slog.e(TAG, "Calling UID: " + Binder.getCallingUid()
+                        + " doesn't match expected camera service UID!");
                 return false;
             }
+            final long ident = Binder.clearCallingIdentity();
             try {
-                return dpm.getCameraDisabled(null, userId);
-            } catch (Exception e) {
-                e.printStackTrace();
-                return false;
+                DevicePolicyManager dpm = mContext.getSystemService(DevicePolicyManager.class);
+                if (dpm == null) {
+                    Slog.e(TAG, "Failed to get the device policy manager service");
+                    return false;
+                }
+                try {
+                    return dpm.getCameraDisabled(null, userId);
+                } catch (Exception e) {
+                    e.printStackTrace();
+                    return false;
+                }
+            } finally {
+                Binder.restoreCallingIdentity(ident);
             }
         }
     };
author	Kwangkyu Park <kk48.park@samsung.com>	2023-07-07 22:25:43 +0900
committer	Kwangkyu Park <kk48.park@samsung.com>	2023-07-08 01:28:02 +0900
commit	cf72d72cf7bfe49f5a35d6ea3c7bd14b0bbdd055 (patch)
tree	a3cbaa3fde938f474212e28a11e696329c7ea75d
parent	9c30117b0b473a7b04d0e202d91e63d00830eefb (diff)