commit 3f2638b5b25162dfc73b4a526184694f5f032dd3
author Kiyoung Kim <kiyoungkim@google.com> Wed Dec 06 16:22:30 2023 +0900
committer Kiyoung Kim <kiyoungkim@google.com> Wed Dec 06 16:38:33 2023 +0900
tree 1fe5a0b5f70524a050b58321085295aa920f275e
parent ab3bf02fe0646c056024b306ab475614adeaab28

Do not check selinux access for PermissionCache

Change to check selinux for PermissionCache failed because
surfaceflinger did not have access to selinuxfs. Based on the
discussion, it would be better to check PermissionCache without any
further access check, as its failure would mean the same. This change
removes additional access check from dump.

Bug: 313804706
Test: com.google.android.selinux.pts.SELinuxTest#scanBugreport passed
from cheetah

Change-Id: I5f6f882e270d71bc1da37360c6512cac66dd04a9

libs/gui/BufferQueueConsumer.cpp

diff --git a/libs/gui/BufferQueueConsumer.cpp b/libs/gui/BufferQueueConsumer.cpp
index 744201a..11f5174 100644
--- a/libs/gui/BufferQueueConsumer.cpp
+++ b/libs/gui/BufferQueueConsumer.cpp
@@ -38,43 +38,10 @@
 #include <private/gui/BufferQueueThreadState.h>
 #if !defined(__ANDROID_VNDK__) && !defined(NO_BINDER)
 #include <binder/PermissionCache.h>
-#include <selinux/android.h>
-#include <selinux/selinux.h>
 #endif
 
 #include <system/window.h>
 
-namespace {
-#if !defined(__ANDROID_VNDK__) && !defined(NO_BINDER)
-int selinux_log_suppress_callback(int, const char*, ...) { // NOLINT
-    // DO NOTHING
-    return 0;
-}
-
-bool hasAccessToPermissionService() {
-    char* ctx;
-
-    if (getcon(&ctx) == -1) {
-        // Failed to get current selinux context
-        return false;
-    }
-
-    union selinux_callback cb;
-
-    cb.func_log = selinux_log_suppress_callback;
-    selinux_set_callback(SELINUX_CB_LOG, cb);
-
-    bool hasAccess = selinux_check_access(ctx, "u:object_r:permission_service:s0",
-                                          "service_manager", "find", NULL) == 0;
-    freecon(ctx);
-    cb.func_log = hasAccess ? selinux_log_callback : selinux_vendor_log_callback;
-    selinux_set_callback(SELINUX_CB_LOG, cb);
-
-    return hasAccess;
-}
-#endif
-} // namespace
-
 namespace android {
 
 // Macros for include BufferQueueCore information in log messages
@@ -843,18 +810,14 @@
     const uid_t uid = BufferQueueThreadState::getCallingUid();
 #if !defined(__ANDROID_VNDK__) && !defined(NO_BINDER)
     // permission check can't be done for vendors as vendors have no access to
-    // the PermissionController. We need to do a runtime check as well, since
-    // the system variant of libgui can be loaded in a vendor process. For eg:
-    // if a HAL uses an llndk library that depends on libgui (libmediandk etc).
-    if (hasAccessToPermissionService()) {
-        const pid_t pid = BufferQueueThreadState::getCallingPid();
-        if ((uid != shellUid) &&
-            !PermissionCache::checkPermission(String16("android.permission.DUMP"), pid, uid)) {
-            outResult->appendFormat("Permission Denial: can't dump BufferQueueConsumer "
-                                    "from pid=%d, uid=%d\n",
-                                    pid, uid);
-            denied = true;
-        }
+    // the PermissionController.
+    const pid_t pid = BufferQueueThreadState::getCallingPid();
+    if ((uid != shellUid) &&
+        !PermissionCache::checkPermission(String16("android.permission.DUMP"), pid, uid)) {
+        outResult->appendFormat("Permission Denial: can't dump BufferQueueConsumer "
+                                "from pid=%d, uid=%d\n",
+                                pid, uid);
+        denied = true;
     }
 #else
     if (uid != shellUid) {