diff options
| author | 2023-10-06 05:34:14 +0000 | |
|---|---|---|
| committer | 2023-10-06 05:34:14 +0000 | |
| commit | 8b919d0eb0e816bdd67f11855e649ce3723930ee (patch) | |
| tree | b9785db180fb54b3a776f645cbb2a7ef480e0cb9 /cmds/servicemanager/ServiceManager.cpp | |
| parent | e4b64ebecf894e3047e46894a83ab8d37feabd3e (diff) | |
| parent | 1961b2f7b191744f3fc6bb4d32f0da0ce3ee0567 (diff) | |
Merge "Merge Android 14" into main
Diffstat (limited to 'cmds/servicemanager/ServiceManager.cpp')
| -rw-r--r-- | cmds/servicemanager/ServiceManager.cpp | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/cmds/servicemanager/ServiceManager.cpp b/cmds/servicemanager/ServiceManager.cpp index facb8b133b..77989d148b 100644 --- a/cmds/servicemanager/ServiceManager.cpp +++ b/cmds/servicemanager/ServiceManager.cpp @@ -40,6 +40,11 @@ using ::android::internal::Stability; namespace android { +bool is_multiuser_uid_isolated(uid_t uid) { + uid_t appid = multiuser_get_app_id(uid); + return appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END; +} + #ifndef VENDORSERVICEMANAGER struct ManifestWithDescription { @@ -302,13 +307,8 @@ sp<IBinder> ServiceManager::tryGetService(const std::string& name, bool startIfN if (auto it = mNameToService.find(name); it != mNameToService.end()) { service = &(it->second); - if (!service->allowIsolated) { - uid_t appid = multiuser_get_app_id(ctx.uid); - bool isIsolated = appid >= AID_ISOLATED_START && appid <= AID_ISOLATED_END; - - if (isIsolated) { - return nullptr; - } + if (!service->allowIsolated && is_multiuser_uid_isolated(ctx.uid)) { + return nullptr; } out = service->binder; } @@ -472,7 +472,17 @@ Status ServiceManager::registerForNotifications( auto ctx = mAccess->getCallingContext(); if (!mAccess->canFind(ctx, name)) { - return Status::fromExceptionCode(Status::EX_SECURITY); + return Status::fromExceptionCode(Status::EX_SECURITY, "SELinux"); + } + + // note - we could allow isolated apps to get notifications if we + // keep track of isolated callbacks and non-isolated callbacks, but + // this is done since isolated apps shouldn't access lazy services + // so we should be able to use different APIs to keep things simple. + // Here, we disallow everything, because the service might not be + // registered yet. + if (is_multiuser_uid_isolated(ctx.uid)) { + return Status::fromExceptionCode(Status::EX_SECURITY, "isolated app"); } if (!isValidServiceName(name)) { |