Merge "Check permission to add accessor in servicemanager" into main am: bbc53bc0d4

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/3197352 Change-Id: Ibfd028baa201f8f50c9f36b5333eafa01aaef567 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Alice Wang <aliceywang@google.com> 2024-08-07 09:25:54 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2024-08-07 09:25:54 +0000
commit: 18b15cce78d05a05bccdc7b3db60967d56970bf9 (patch)
tree: 227f7aaf8803a80cae5a6734fc686d5096399a59 /cmds/servicemanager/ServiceManager.cpp
parent: 197f72e90cfdddd1c2bb04b64c3e0cdfaab3a97d (diff)
parent: bbc53bc0d44fec0747c040eefba657b1a43e5385 (diff)
1 files changed, 26 insertions, 6 deletions
diff --git a/cmds/servicemanager/ServiceManager.cpp b/cmds/servicemanager/ServiceManager.cpp
index ef2fa4dff7..fa7cb64f3a 100644
--- a/cmds/servicemanager/ServiceManager.cpp
+++ b/cmds/servicemanager/ServiceManager.cpp
@@ -505,8 +505,9 @@ Status ServiceManager::addService(const std::string& name, const sp<IBinder>& bi
         return Status::fromExceptionCode(Status::EX_SECURITY, "App UIDs cannot add services.");
     }
 
-    if (!mAccess->canAdd(ctx, name)) {
-        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");
+    std::optional<std::string> accessorName;
+    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {
+        return status;
     }
 
     if (binder == nullptr) {
@@ -888,8 +889,9 @@ Status ServiceManager::registerClientCallback(const std::string& name, const sp<
     }
 
     auto ctx = mAccess->getCallingContext();
-    if (!mAccess->canAdd(ctx, name)) {
-        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");
+    std::optional<std::string> accessorName;
+    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {
+        return status;
     }
 
     auto serviceIt = mNameToService.find(name);
@@ -1051,8 +1053,9 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB
     }
 
     auto ctx = mAccess->getCallingContext();
-    if (!mAccess->canAdd(ctx, name)) {
-        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied.");
+    std::optional<std::string> accessorName;
+    if (auto status = canAddService(ctx, name, &accessorName); !status.isOk()) {
+        return status;
     }
 
     auto serviceIt = mNameToService.find(name);
@@ -1110,6 +1113,23 @@ Status ServiceManager::tryUnregisterService(const std::string& name, const sp<IB
     return Status::ok();
 }
 
+Status ServiceManager::canAddService(const Access::CallingContext& ctx, const std::string& name,
+                                     std::optional<std::string>* accessor) {
+    if (!mAccess->canAdd(ctx, name)) {
+        return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux denied for service.");
+    }
+#ifndef VENDORSERVICEMANAGER
+    *accessor = getVintfAccessorName(name);
+#endif
+    if (accessor->has_value()) {
+        if (!mAccess->canAdd(ctx, accessor->value())) {
+            return Status::fromExceptionCode(Status::EX_SECURITY,
+                                             "SELinux denied for the accessor of the service.");
+        }
+    }
+    return Status::ok();
+}
+
 Status ServiceManager::canFindService(const Access::CallingContext& ctx, const std::string& name,
                                       std::optional<std::string>* accessor) {
     if (!mAccess->canFind(ctx, name)) {
author	Alice Wang <aliceywang@google.com>	2024-08-07 09:25:54 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-08-07 09:25:54 +0000
commit	18b15cce78d05a05bccdc7b3db60967d56970bf9 (patch)
tree	227f7aaf8803a80cae5a6734fc686d5096399a59 /cmds/servicemanager/ServiceManager.cpp
parent	197f72e90cfdddd1c2bb04b64c3e0cdfaab3a97d (diff)
parent	bbc53bc0d44fec0747c040eefba657b1a43e5385 (diff)