Merge "libbinder: require shell/root UID for shell" am: c5ae56685d
am: 386b133b54
Change-Id: Ib47f87f5806646983b9bc853b225a66c55a74401
diff --git a/libs/binder/Binder.cpp b/libs/binder/Binder.cpp
index cb0e08d..3de4487 100644
--- a/libs/binder/Binder.cpp
+++ b/libs/binder/Binder.cpp
@@ -17,12 +17,15 @@
#include <binder/Binder.h>
#include <atomic>
-#include <utils/misc.h>
#include <binder/BpBinder.h>
#include <binder/IInterface.h>
+#include <binder/IPCThreadState.h>
#include <binder/IResultReceiver.h>
#include <binder/IShellCallback.h>
#include <binder/Parcel.h>
+#include <cutils/android_filesystem_config.h>
+#include <cutils/compiler.h>
+#include <utils/misc.h>
#include <stdio.h>
@@ -125,6 +128,19 @@
{
data.setDataPosition(0);
+ // Shell command transaction is conventionally implemented by
+ // overriding onTransact by copy/pasting the parceling code from
+ // this file. So, we must check permissions for it before we call
+ // onTransact. This check is here because shell APIs aren't
+ // guaranteed to be stable, and so they should only be used by
+ // developers.
+ if (CC_UNLIKELY(code == SHELL_COMMAND_TRANSACTION)) {
+ uid_t uid = IPCThreadState::self()->getCallingUid();
+ if (uid != AID_SHELL && uid != AID_ROOT) {
+ return PERMISSION_DENIED;
+ }
+ }
+
status_t err = NO_ERROR;
switch (code) {
case PING_TRANSACTION: