Merge "Restrict lockdown and firewall to AID_SYSTEM." into jb-mr1-dev
diff --git a/services/java/com/android/server/ConnectivityService.java b/services/java/com/android/server/ConnectivityService.java
index cbbfda1..3a338a9 100644
--- a/services/java/com/android/server/ConnectivityService.java
+++ b/services/java/com/android/server/ConnectivityService.java
@@ -77,6 +77,7 @@
import android.os.Message;
import android.os.ParcelFileDescriptor;
import android.os.PowerManager;
+import android.os.Process;
import android.os.RemoteException;
import android.os.ServiceManager;
import android.os.SystemClock;
@@ -3370,7 +3371,7 @@
@Override
public boolean updateLockdownVpn() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
// Tear down existing lockdown if profile was removed
mLockdownEnabled = LockdownVpnTracker.isEnabled();
@@ -3421,4 +3422,11 @@
throw new IllegalStateException("Unavailable in lockdown mode");
}
}
+
+ private static void enforceSystemUid() {
+ final int uid = Binder.getCallingUid();
+ if (uid != Process.SYSTEM_UID) {
+ throw new SecurityException("Only available to AID_SYSTEM");
+ }
+ }
}
diff --git a/services/java/com/android/server/NetworkManagementService.java b/services/java/com/android/server/NetworkManagementService.java
index efa16af..3ddae3e 100644
--- a/services/java/com/android/server/NetworkManagementService.java
+++ b/services/java/com/android/server/NetworkManagementService.java
@@ -45,8 +45,10 @@
import android.net.RouteInfo;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiConfiguration.KeyMgmt;
+import android.os.Binder;
import android.os.Handler;
import android.os.INetworkManagementService;
+import android.os.Process;
import android.os.RemoteCallbackList;
import android.os.RemoteException;
import android.os.SystemClock;
@@ -1436,7 +1438,7 @@
@Override
public void setFirewallEnabled(boolean enabled) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
try {
mConnector.execute("firewall", enabled ? "enable" : "disable");
mFirewallEnabled = enabled;
@@ -1447,13 +1449,13 @@
@Override
public boolean isFirewallEnabled() {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
return mFirewallEnabled;
}
@Override
public void setFirewallInterfaceRule(String iface, boolean allow) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY;
try {
@@ -1465,7 +1467,7 @@
@Override
public void setFirewallEgressSourceRule(String addr, boolean allow) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY;
try {
@@ -1477,7 +1479,7 @@
@Override
public void setFirewallEgressDestRule(String addr, int port, boolean allow) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY;
try {
@@ -1489,7 +1491,7 @@
@Override
public void setFirewallUidRule(int uid, boolean allow) {
- mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+ enforceSystemUid();
Preconditions.checkState(mFirewallEnabled);
final String rule = allow ? ALLOW : DENY;
try {
@@ -1499,6 +1501,13 @@
}
}
+ private static void enforceSystemUid() {
+ final int uid = Binder.getCallingUid();
+ if (uid != Process.SYSTEM_UID) {
+ throw new SecurityException("Only available to AID_SYSTEM");
+ }
+ }
+
@Override
public void monitor() {
if (mConnector != null) {