diff options
| author | 2025-01-03 14:18:12 -0800 | |
|---|---|---|
| committer | 2025-01-06 15:46:07 -0800 | |
| commit | 35f00436f25c39813d2927bc58486703a753d1ec (patch) | |
| tree | 72aca2bdd079311d32666df9b7b0aa91226569da | |
| parent | 58c73246e65934fa5a63952a656c31114cd1707c (diff) | |
Do not use BIND_INCLUDE_CAPABILITIES when bind PrintService
The BIND_INCLUDE_CAPABILITIES binding flag is used when a print service
is bound by system_server. As a result, all permissions are passed down
to the service, which is a security vulnerability. This patch adds
a new flag do_not_include_capabilities that controls this behavior.
Bug: 291281543
Test: build and run on Akita
Flag: com.android.server.print.do_not_include_capabilities
Change-Id: I9b2484fc5caa1681bbd80ada9200a01317fc22e9
| -rw-r--r-- | services/print/Android.bp | 13 | ||||
| -rw-r--r-- | services/print/java/com/android/server/print/RemotePrintService.java | 3 | ||||
| -rw-r--r-- | services/print/java/com/android/server/print/flags.aconfig | 9 |
3 files changed, 24 insertions, 1 deletions
diff --git a/services/print/Android.bp b/services/print/Android.bp index 0dfceaa3a9d9..b77cf162d984 100644 --- a/services/print/Android.bp +++ b/services/print/Android.bp @@ -18,8 +18,21 @@ java_library_static { name: "services.print", defaults: ["platform_service_defaults"], srcs: [":services.print-sources"], + static_libs: ["print_flags_lib"], libs: ["services.core"], lint: { baseline_filename: "lint-baseline.xml", }, } + +aconfig_declarations { + name: "print_flags", + package: "com.android.server.print", + container: "system", + srcs: ["**/flags.aconfig"], +} + +java_aconfig_library { + name: "print_flags_lib", + aconfig_declarations: "print_flags", +} diff --git a/services/print/java/com/android/server/print/RemotePrintService.java b/services/print/java/com/android/server/print/RemotePrintService.java index 502cd2c60f4a..b85671581cc5 100644 --- a/services/print/java/com/android/server/print/RemotePrintService.java +++ b/services/print/java/com/android/server/print/RemotePrintService.java @@ -572,7 +572,8 @@ final class RemotePrintService implements DeathRecipient { boolean wasBound = mContext.bindServiceAsUser(mIntent, mServiceConnection, Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE - | Context.BIND_INCLUDE_CAPABILITIES | Context.BIND_ALLOW_INSTANT, + | (Flags.doNotIncludeCapabilities() ? 0 : Context.BIND_INCLUDE_CAPABILITIES) + | Context.BIND_ALLOW_INSTANT, new UserHandle(mUserId)); if (!wasBound) { diff --git a/services/print/java/com/android/server/print/flags.aconfig b/services/print/java/com/android/server/print/flags.aconfig new file mode 100644 index 000000000000..0210791cfeda --- /dev/null +++ b/services/print/java/com/android/server/print/flags.aconfig @@ -0,0 +1,9 @@ +package: "com.android.server.print" +container: "system" + +flag { + name: "do_not_include_capabilities" + namespace: "print" + description: "Do not use the flag Context.BIND_INCLUDE_CAPABILITIES when binding to the service" + bug: "291281543" +} |