diff options
| author | 2024-08-07 09:13:44 +0000 | |
|---|---|---|
| committer | 2024-08-07 09:13:44 +0000 | |
| commit | bbc53bc0d44fec0747c040eefba657b1a43e5385 (patch) | |
| tree | 7def6e4ec8b30bca71c7d6cc9121d6e72f874d9d | |
| parent | 8c6d7e59f34cc7895f6d6ae4bde81fbb4859bef6 (diff) | |
| parent | d404e0fcd477adffe77113370744f9d2b007cf75 (diff) | |
Merge "Check permission to add accessor in servicemanager" into main
| -rw-r--r-- | cmds/servicemanager/ServiceManager.cpp | 32 | ||||
| -rw-r--r-- | cmds/servicemanager/ServiceManager.h | 2 |
2 files changed, 28 insertions, 6 deletions
diff --git a/cmds/servicemanager/ServiceManager.cpp b/cmds/servicemanager/ServiceManager.cpp index ef2fa4dff7..fa7cb64f3a 100644 --- a/cmds/servicemanager/ServiceManager.cpp +++ b/cmds/servicemanager/ServiceManager.cpp @@ -505,8 +505,9 @@ Status ServiceManager::addService(const std::string& name, const sp<IBinder>& bi return Status::fromExceptionCode(Status::EX_SECURITY, "App UIDs cannot add services."); } - if (!mAccess->canAdd(ctx, name)) { - return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied."); + std::optional<std::string> accessorName; + if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) { + return status; } if (binder == nullptr) { @@ -888,8 +889,9 @@ Status ServiceManager::registerClientCallback(const std::string& name, const sp< } auto ctx = mAccess->getCallingContext(); - if (!mAccess->canAdd(ctx, name)) { - return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied."); + std::optional<std::string> accessorName; + if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) { + return status; } auto serviceIt = mNameToService.find(name); @@ -1051,8 +1053,9 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB } auto ctx = mAccess->getCallingContext(); - if (!mAccess->canAdd(ctx, name)) { - return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied."); + std::optional<std::string> accessorName; + if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) { + return status; } auto serviceIt = mNameToService.find(name); @@ -1110,6 +1113,23 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB return Status::ok(); } +Status ServiceManager::canAddService(const Access::CallingContext& ctx, const std::string& name, + std::optional<std::string>* accessor) { + if (!mAccess->canAdd(ctx, name)) { + return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied for service."); + } +#ifndef VENDORSERVICEMANAGER + *accessor = getVintfAccessorName(name); +#endif + if (accessor->has_value()) { + if (!mAccess->canAdd(ctx, accessor->value())) { + return Status::fromExceptionCode(Status::EX_SECURITY, + "SELinux denied for the accessor of the service."); + } + } + return Status::ok(); +} + Status ServiceManager::canFindService(const Access::CallingContext& ctx, const std::string& name, std::optional<std::string>* accessor) { if (!mAccess->canFind(ctx, name)) { diff --git a/cmds/servicemanager/ServiceManager.h b/cmds/servicemanager/ServiceManager.h index 0d666c6bce..c92141b393 100644 --- a/cmds/servicemanager/ServiceManager.h +++ b/cmds/servicemanager/ServiceManager.h @@ -115,6 +115,8 @@ private: os::Service tryGetService(const std::string& name, bool startIfNotFound); sp<IBinder> tryGetBinder(const std::string& name, bool startIfNotFound); + binder::Status canAddService(const Access::CallingContext& ctx, const std::string& name, + std::optional<std::string>* accessor); binder::Status canFindService(const Access::CallingContext& ctx, const std::string& name, std::optional<std::string>* accessor); |