audio: filter reserved binder calls
Block incoming binder calls to audio flinger and audio policy service
for sensitive functions if they are not coming from a system UID.
Bug: 72278478
Test: audio smoke tests. CTS tests for AudioTrack and AudioRecord
Change-Id: I78e02efffe135d5450ced125e51e2084719ca03d
diff --git a/media/libaudioclient/IAudioFlinger.cpp b/media/libaudioclient/IAudioFlinger.cpp
index ae9c96f..f234e47 100644
--- a/media/libaudioclient/IAudioFlinger.cpp
+++ b/media/libaudioclient/IAudioFlinger.cpp
@@ -24,6 +24,7 @@
#include <binder/IPCThreadState.h>
#include <binder/Parcel.h>
+#include <private/android_filesystem_config.h>
#include "IAudioFlinger.h"
@@ -881,6 +882,24 @@
break;
}
+ // make sure the following transactions come from system components
+ switch (code) {
+ case SET_MASTER_VOLUME:
+ case SET_MASTER_MUTE:
+ case SET_MODE:
+ case SET_MIC_MUTE:
+ case SET_LOW_RAM_DEVICE:
+ case SYSTEM_READY:
+ if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) {
+ ALOGW("%s: transaction %d received from PID %d unauthorized UID %d",
+ __func__, code, IPCThreadState::self()->getCallingPid(),
+ IPCThreadState::self()->getCallingUid());
+ return INVALID_OPERATION;
+ }
+ default:
+ break;
+ }
+
// Whitelist of relevant events to trigger log merging.
// Log merging should activate during audio activity of any kind. This are considered the
// most relevant events.
diff --git a/media/libaudioclient/IAudioPolicyService.cpp b/media/libaudioclient/IAudioPolicyService.cpp
index b91e4cf..8f5ff30 100644
--- a/media/libaudioclient/IAudioPolicyService.cpp
+++ b/media/libaudioclient/IAudioPolicyService.cpp
@@ -27,7 +27,7 @@
#include <media/AudioEffect.h>
#include <media/IAudioPolicyService.h>
-
+#include <private/android_filesystem_config.h>
#include <system/audio.h>
namespace android {
@@ -861,6 +861,27 @@
break;
}
+ // make sure the following transactions come from system components
+ switch (code) {
+ case SET_DEVICE_CONNECTION_STATE:
+ case HANDLE_DEVICE_CONFIG_CHANGE:
+ case SET_PHONE_STATE:
+ case SET_RINGER_MODE:
+ case SET_FORCE_USE:
+ case INIT_STREAM_VOLUME:
+ case SET_STREAM_VOLUME:
+ case REGISTER_POLICY_MIXES:
+ case SET_MASTER_MONO:
+ if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) {
+ ALOGW("%s: transaction %d received from PID %d unauthorized UID %d",
+ __func__, code, IPCThreadState::self()->getCallingPid(),
+ IPCThreadState::self()->getCallingUid());
+ return INVALID_OPERATION;
+ }
+ default:
+ break;
+ }
+
switch (code) {
case SET_DEVICE_CONNECTION_STATE: {
CHECK_INTERFACE(IAudioPolicyService, data, reply);
diff --git a/services/audiopolicy/service/AudioPolicyService.cpp b/services/audiopolicy/service/AudioPolicyService.cpp
index e5aed9a..90a5a0f 100644
--- a/services/audiopolicy/service/AudioPolicyService.cpp
+++ b/services/audiopolicy/service/AudioPolicyService.cpp
@@ -273,7 +273,7 @@
void AudioPolicyService::NotificationClient::onDynamicPolicyMixStateUpdate(
const String8& regId, int32_t state)
{
- if (mAudioPolicyServiceClient != 0) {
+ if (mAudioPolicyServiceClient != 0 && mUid < AID_APP_START) {
mAudioPolicyServiceClient->onDynamicPolicyMixStateUpdate(regId, state);
}
}
@@ -283,7 +283,7 @@
const audio_config_base_t *clientConfig, const audio_config_base_t *deviceConfig,
audio_patch_handle_t patchHandle)
{
- if (mAudioPolicyServiceClient != 0) {
+ if (mAudioPolicyServiceClient != 0 && mUid < AID_APP_START) {
mAudioPolicyServiceClient->onRecordingConfigurationUpdate(event, clientInfo,
clientConfig, deviceConfig, patchHandle);
}