Merge "libbinder: require shell/root UID for shell" am: c5ae56685d am: 386b133b54 am: 3f373c0379

am: bb6eff9bad

Change-Id: I2319c8cbbbf0d35d85922adfb9cc93db59eafc22

1 files changed, 17 insertions, 1 deletions

diff --git a/libs/binder/Binder.cpp b/libs/binder/Binder.cpp
index cb0e08d123..3de4487b60 100644
--- a/libs/binder/Binder.cpp
+++ b/libs/binder/Binder.cpp
@@ -17,12 +17,15 @@
 #include <binder/Binder.h>
 
 #include <atomic>
-#include <utils/misc.h>
 #include <binder/BpBinder.h>
 #include <binder/IInterface.h>
+#include <binder/IPCThreadState.h>
 #include <binder/IResultReceiver.h>
 #include <binder/IShellCallback.h>
 #include <binder/Parcel.h>
+#include <cutils/android_filesystem_config.h>
+#include <cutils/compiler.h>
+#include <utils/misc.h>
 
 #include <stdio.h>
 
@@ -125,6 +128,19 @@ status_t BBinder::transact(
 {
     data.setDataPosition(0);
 
+    // Shell command transaction is conventionally implemented by
+    // overriding onTransact by copy/pasting the parceling code from
+    // this file. So, we must check permissions for it before we call
+    // onTransact. This check is here because shell APIs aren't
+    // guaranteed to be stable, and so they should only be used by
+    // developers.
+    if (CC_UNLIKELY(code == SHELL_COMMAND_TRANSACTION)) {
+        uid_t uid = IPCThreadState::self()->getCallingUid();
+        if (uid != AID_SHELL && uid != AID_ROOT) {
+            return PERMISSION_DENIED;
+        }
+    }
+
     status_t err = NO_ERROR;
     switch (code) {
         case PING_TRANSACTION: