Android/frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Restrict lockdown and firewall to AID_SYSTEM." into jb-mr1-dev

Browse Source
This commit is contained in:
Jeff Sharkey
2012-09-06 18:02:44 -07:00
committed by Android (Google) Code Review
parent b75111df9b f56e2435b6
commit fa8d83d904
2 changed files with 24 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
services/java/com/android/server/ConnectivityService.java
View File

@@ -77,6 +77,7 @@ import android.os.Looper;
import android.os.Message; import android.os.Message;
import android.os.ParcelFileDescriptor; import android.os.ParcelFileDescriptor;
import android.os.PowerManager; import android.os.PowerManager;
import android.os.Process;
import android.os.RemoteException; import android.os.RemoteException;
import android.os.ServiceManager; import android.os.ServiceManager;
import android.os.SystemClock; import android.os.SystemClock;
@@ -3370,7 +3371,7 @@ public class ConnectivityService extends IConnectivityManager.Stub {
@Override @Override
public boolean updateLockdownVpn() { public boolean updateLockdownVpn() {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
// Tear down existing lockdown if profile was removed // Tear down existing lockdown if profile was removed
mLockdownEnabled = LockdownVpnTracker.isEnabled(); mLockdownEnabled = LockdownVpnTracker.isEnabled();
@@ -3421,4 +3422,11 @@ public class ConnectivityService extends IConnectivityManager.Stub {
throw new IllegalStateException("Unavailable in lockdown mode"); throw new IllegalStateException("Unavailable in lockdown mode");
} }
} }
private static void enforceSystemUid() {
final int uid = Binder.getCallingUid();
if (uid != Process.SYSTEM_UID) {
throw new SecurityException("Only available to AID_SYSTEM");
}
}
} }

21
services/java/com/android/server/NetworkManagementService.java
View File

@@ -45,8 +45,10 @@ import android.net.NetworkUtils;
import android.net.RouteInfo; import android.net.RouteInfo;
import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiConfiguration.KeyMgmt; import android.net.wifi.WifiConfiguration.KeyMgmt;
import android.os.Binder;
import android.os.Handler; import android.os.Handler;
import android.os.INetworkManagementService; import android.os.INetworkManagementService;
import android.os.Process;
import android.os.RemoteCallbackList; import android.os.RemoteCallbackList;
import android.os.RemoteException; import android.os.RemoteException;
import android.os.SystemClock; import android.os.SystemClock;
@@ -1436,7 +1438,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub
@Override @Override
public void setFirewallEnabled(boolean enabled) { public void setFirewallEnabled(boolean enabled) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
try { try {
mConnector.execute("firewall", enabled ? "enable" : "disable"); mConnector.execute("firewall", enabled ? "enable" : "disable");
mFirewallEnabled = enabled; mFirewallEnabled = enabled;
@@ -1447,13 +1449,13 @@ public class NetworkManagementService extends INetworkManagementService.Stub
@Override @Override
public boolean isFirewallEnabled() { public boolean isFirewallEnabled() {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
return mFirewallEnabled; return mFirewallEnabled;
} }
@Override @Override
public void setFirewallInterfaceRule(String iface, boolean allow) { public void setFirewallInterfaceRule(String iface, boolean allow) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
Preconditions.checkState(mFirewallEnabled); Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY; final String rule = allow ? ALLOW : DENY;
try { try {
@@ -1465,7 +1467,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub
@Override @Override
public void setFirewallEgressSourceRule(String addr, boolean allow) { public void setFirewallEgressSourceRule(String addr, boolean allow) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
Preconditions.checkState(mFirewallEnabled); Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY; final String rule = allow ? ALLOW : DENY;
try { try {
@@ -1477,7 +1479,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub
@Override @Override
public void setFirewallEgressDestRule(String addr, int port, boolean allow) { public void setFirewallEgressDestRule(String addr, int port, boolean allow) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
Preconditions.checkState(mFirewallEnabled); Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY; final String rule = allow ? ALLOW : DENY;
try { try {
@@ -1489,7 +1491,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub
@Override @Override
public void setFirewallUidRule(int uid, boolean allow) { public void setFirewallUidRule(int uid, boolean allow) {
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); enforceSystemUid();
Preconditions.checkState(mFirewallEnabled); Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY; final String rule = allow ? ALLOW : DENY;
try { try {
@@ -1499,6 +1501,13 @@ public class NetworkManagementService extends INetworkManagementService.Stub
} }
} }
private static void enforceSystemUid() {
final int uid = Binder.getCallingUid();
if (uid != Process.SYSTEM_UID) {
throw new SecurityException("Only available to AID_SYSTEM");
}
}
@Override @Override
public void monitor() { public void monitor() {
if (mConnector != null) { if (mConnector != null) {