From f0f97d362a7ca644ac41542a12cc674e090135d3 Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Wed, 10 Jul 2019 18:35:46 -0700 Subject: libbinder: require shell/root UID for shell The APIs under SHELL_COMMAND_TRANSACTION are considered to be development APIs and are not suitable for actual usage on the device, especially where the APIs need to be stable over long periods of time. Bug: N/A Test: as follows walleye:/ # su root cmd package list packages walleye:/ # su shell cmd package list packages walleye:/ # su system cmd package list packages cmd: Failure calling service package: Operation not permitted (1) Change-Id: I236281ba0346711f89507d026eadd5ae3c9337b1 --- libs/binder/Binder.cpp | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'libs') diff --git a/libs/binder/Binder.cpp b/libs/binder/Binder.cpp index 96ee29556c..7324cf5bea 100644 --- a/libs/binder/Binder.cpp +++ b/libs/binder/Binder.cpp @@ -17,12 +17,15 @@ #include #include -#include #include #include +#include #include #include #include +#include +#include +#include #include @@ -125,6 +128,19 @@ status_t BBinder::transact( { data.setDataPosition(0); + // Shell command transaction is conventionally implemented by + // overriding onTransact by copy/pasting the parceling code from + // this file. So, we must check permissions for it before we call + // onTransact. This check is here because shell APIs aren't + // guaranteed to be stable, and so they should only be used by + // developers. + if (CC_UNLIKELY(code == SHELL_COMMAND_TRANSACTION)) { + uid_t uid = IPCThreadState::self()->getCallingUid(); + if (uid != AID_SHELL && uid != AID_ROOT) { + return PERMISSION_DENIED; + } + } + status_t err = NO_ERROR; switch (code) { case PING_TRANSACTION: -- cgit v1.2.3-59-g8ed1b