diff options
| -rw-r--r-- | services/java/com/android/server/ConnectivityService.java | 10 | ||||
| -rw-r--r-- | services/java/com/android/server/NetworkManagementService.java | 21 |
2 files changed, 24 insertions, 7 deletions
diff --git a/services/java/com/android/server/ConnectivityService.java b/services/java/com/android/server/ConnectivityService.java index cbbfda18c325..3a338a984792 100644 --- a/services/java/com/android/server/ConnectivityService.java +++ b/services/java/com/android/server/ConnectivityService.java @@ -77,6 +77,7 @@ import android.os.Looper; import android.os.Message; import android.os.ParcelFileDescriptor; import android.os.PowerManager; +import android.os.Process; import android.os.RemoteException; import android.os.ServiceManager; import android.os.SystemClock; @@ -3370,7 +3371,7 @@ public class ConnectivityService extends IConnectivityManager.Stub { @Override public boolean updateLockdownVpn() { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); // Tear down existing lockdown if profile was removed mLockdownEnabled = LockdownVpnTracker.isEnabled(); @@ -3421,4 +3422,11 @@ public class ConnectivityService extends IConnectivityManager.Stub { throw new IllegalStateException("Unavailable in lockdown mode"); } } + + private static void enforceSystemUid() { + final int uid = Binder.getCallingUid(); + if (uid != Process.SYSTEM_UID) { + throw new SecurityException("Only available to AID_SYSTEM"); + } + } } diff --git a/services/java/com/android/server/NetworkManagementService.java b/services/java/com/android/server/NetworkManagementService.java index efa16af2942a..3ddae3eef51f 100644 --- a/services/java/com/android/server/NetworkManagementService.java +++ b/services/java/com/android/server/NetworkManagementService.java @@ -45,8 +45,10 @@ import android.net.NetworkUtils; import android.net.RouteInfo; import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiConfiguration.KeyMgmt; +import android.os.Binder; import android.os.Handler; import android.os.INetworkManagementService; +import android.os.Process; import android.os.RemoteCallbackList; import android.os.RemoteException; import android.os.SystemClock; @@ -1436,7 +1438,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallEnabled(boolean enabled) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); try { mConnector.execute("firewall", enabled ? "enable" : "disable"); mFirewallEnabled = enabled; @@ -1447,13 +1449,13 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public boolean isFirewallEnabled() { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); return mFirewallEnabled; } @Override public void setFirewallInterfaceRule(String iface, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1465,7 +1467,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallEgressSourceRule(String addr, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1477,7 +1479,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallEgressDestRule(String addr, int port, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1489,7 +1491,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallUidRule(int uid, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1499,6 +1501,13 @@ public class NetworkManagementService extends INetworkManagementService.Stub } } + private static void enforceSystemUid() { + final int uid = Binder.getCallingUid(); + if (uid != Process.SYSTEM_UID) { + throw new SecurityException("Only available to AID_SYSTEM"); + } + } + @Override public void monitor() { if (mConnector != null) { |