Skip to content

Commit fa8d83d

Browse files
jsharkeyAndroid (Google) Code Review
jsharkey
authored and
Android (Google) Code Review
committed
Merge "Restrict lockdown and firewall to AID_SYSTEM." into jb-mr1-dev
2 parents b75111d + f56e243 commit fa8d83d

File tree

2 files changed

+24
-7
lines changed

2 files changed

+24
-7
lines changed

services/java/com/android/server/ConnectivityService.java

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@
7777
import android.os.Message;
7878
import android.os.ParcelFileDescriptor;
7979
import android.os.PowerManager;
80+
import android.os.Process;
8081
import android.os.RemoteException;
8182
import android.os.ServiceManager;
8283
import android.os.SystemClock;
@@ -3370,7 +3371,7 @@ public void restore() {
33703371

33713372
@Override
33723373
public boolean updateLockdownVpn() {
3373-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
3374+
enforceSystemUid();
33743375

33753376
// Tear down existing lockdown if profile was removed
33763377
mLockdownEnabled = LockdownVpnTracker.isEnabled();
@@ -3421,4 +3422,11 @@ private void throwIfLockdownEnabled() {
34213422
throw new IllegalStateException("Unavailable in lockdown mode");
34223423
}
34233424
}
3425+
3426+
private static void enforceSystemUid() {
3427+
final int uid = Binder.getCallingUid();
3428+
if (uid != Process.SYSTEM_UID) {
3429+
throw new SecurityException("Only available to AID_SYSTEM");
3430+
}
3431+
}
34243432
}

services/java/com/android/server/NetworkManagementService.java

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,10 @@
4545
import android.net.RouteInfo;
4646
import android.net.wifi.WifiConfiguration;
4747
import android.net.wifi.WifiConfiguration.KeyMgmt;
48+
import android.os.Binder;
4849
import android.os.Handler;
4950
import android.os.INetworkManagementService;
51+
import android.os.Process;
5052
import android.os.RemoteCallbackList;
5153
import android.os.RemoteException;
5254
import android.os.SystemClock;
@@ -1436,7 +1438,7 @@ public void flushInterfaceDnsCache(String iface) {
14361438

14371439
@Override
14381440
public void setFirewallEnabled(boolean enabled) {
1439-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1441+
enforceSystemUid();
14401442
try {
14411443
mConnector.execute("firewall", enabled ? "enable" : "disable");
14421444
mFirewallEnabled = enabled;
@@ -1447,13 +1449,13 @@ public void setFirewallEnabled(boolean enabled) {
14471449

14481450
@Override
14491451
public boolean isFirewallEnabled() {
1450-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1452+
enforceSystemUid();
14511453
return mFirewallEnabled;
14521454
}
14531455

14541456
@Override
14551457
public void setFirewallInterfaceRule(String iface, boolean allow) {
1456-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1458+
enforceSystemUid();
14571459
Preconditions.checkState(mFirewallEnabled);
14581460
final String rule = allow ? ALLOW : DENY;
14591461
try {
@@ -1465,7 +1467,7 @@ public void setFirewallInterfaceRule(String iface, boolean allow) {
14651467

14661468
@Override
14671469
public void setFirewallEgressSourceRule(String addr, boolean allow) {
1468-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1470+
enforceSystemUid();
14691471
Preconditions.checkState(mFirewallEnabled);
14701472
final String rule = allow ? ALLOW : DENY;
14711473
try {
@@ -1477,7 +1479,7 @@ public void setFirewallEgressSourceRule(String addr, boolean allow) {
14771479

14781480
@Override
14791481
public void setFirewallEgressDestRule(String addr, int port, boolean allow) {
1480-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1482+
enforceSystemUid();
14811483
Preconditions.checkState(mFirewallEnabled);
14821484
final String rule = allow ? ALLOW : DENY;
14831485
try {
@@ -1489,7 +1491,7 @@ public void setFirewallEgressDestRule(String addr, int port, boolean allow) {
14891491

14901492
@Override
14911493
public void setFirewallUidRule(int uid, boolean allow) {
1492-
mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
1494+
enforceSystemUid();
14931495
Preconditions.checkState(mFirewallEnabled);
14941496
final String rule = allow ? ALLOW : DENY;
14951497
try {
@@ -1499,6 +1501,13 @@ public void setFirewallUidRule(int uid, boolean allow) {
14991501
}
15001502
}
15011503

1504+
private static void enforceSystemUid() {
1505+
final int uid = Binder.getCallingUid();
1506+
if (uid != Process.SYSTEM_UID) {
1507+
throw new SecurityException("Only available to AID_SYSTEM");
1508+
}
1509+
}
1510+
15021511
@Override
15031512
public void monitor() {
15041513
if (mConnector != null) {

0 commit comments

Comments
 (0)