Allow only AID_ROOT to inject certificate
Explicitly specify AID_ROOT as the only uid that can inject certificate.
Bug: 150952393
Test: atest
Change-Id: If71c0171bc4347979e278752fc49877359f056b7
diff --git a/tests/resolv_integration_test.cpp b/tests/resolv_integration_test.cpp
index bf26174..236b031 100644
--- a/tests/resolv_integration_test.cpp
+++ b/tests/resolv_integration_test.cpp
@@ -4591,6 +4591,18 @@
EXPECT_FALSE(hasUncaughtPrivateDnsValidation(addr2));
}
+TEST_F(ResolverTest, PermissionCheckOnCertificateInjection) {
+ ResolverParamsParcel parcel = DnsResponderClient::GetDefaultResolverParamsParcel();
+ parcel.caCertificate = kCaCert;
+ ASSERT_TRUE(mDnsClient.resolvService()->setResolverConfiguration(parcel).isOk());
+
+ for (const uid_t uid : {AID_SYSTEM, TEST_UID}) {
+ ScopedChangeUID scopedChangeUID(uid);
+ auto status = mDnsClient.resolvService()->setResolverConfiguration(parcel);
+ EXPECT_EQ(status.getExceptionCode(), EX_SECURITY);
+ }
+}
+
// Parameterized tests.
// TODO: Merge the existing tests as parameterized test if possible.
// TODO: Perhaps move parameterized tests to an independent file.