Restrict VR HWC access to services with RESTRICTED_VR_ACCESS permission
Bug: 37542947
Test: Compiled
Change-Id: I0880e6a2caaf32f111ae70ba1d54f59960796287
diff --git a/services/vr/hardware_composer/vr_composer.cpp b/services/vr/hardware_composer/vr_composer.cpp
index c15f8fd..c45fbf4 100644
--- a/services/vr/hardware_composer/vr_composer.cpp
+++ b/services/vr/hardware_composer/vr_composer.cpp
@@ -1,7 +1,25 @@
#include "vr_composer.h"
+#include <binder/IPCThreadState.h>
+#include <binder/PermissionCache.h>
+
namespace android {
namespace dvr {
+namespace {
+
+bool CheckPermission() {
+ const android::IPCThreadState* ipc = android::IPCThreadState::self();
+ const pid_t pid = ipc->getCallingPid();
+ const uid_t uid = ipc->getCallingUid();
+ const bool permission = PermissionCache::checkPermission(
+ String16("android.permission.RESTRICTED_VR_ACCESS"), pid, uid);
+ if (!permission)
+ ALOGE("permission denied to pid=%d uid=%u", pid, uid);
+
+ return permission;
+}
+
+} // namespace
VrComposer::VrComposer() {}
@@ -11,6 +29,9 @@
const sp<IVrComposerCallback>& callback) {
std::lock_guard<std::mutex> guard(mutex_);
+ if (!CheckPermission())
+ return binder::Status::fromStatusT(PERMISSION_DENIED);
+
if (callback_.get()) {
ALOGE("Failed to register callback, already registered");
return binder::Status::fromStatusT(ALREADY_EXISTS);