commit f2a4bd80c9660f314d75c8e1c735b917ce0ac9c4
author Daniel Nicoara <dnicoara@google.com> Fri Apr 28 15:15:17 2017 +0000
committer Android (Google) Code Review <android-gerrit@google.com> Fri Apr 28 15:15:19 2017 +0000
tree 11a667e32470c643bd3d8647af27ff2e94c42263
parent 07b920e09510d138a07dac8b5b1618871ce4db80
parent cc41f5068689035520c3b6efc0ac728fff4dcb73

Merge changes from topic 'allow-vrcore' into oc-dev

* changes:
  Check for caller permissions in virtual touchpad service
  Restrict VR HWC access to services with RESTRICTED_VR_ACCESS permission

services/vr/hardware_composer/vr_composer.cpp

diff --git a/services/vr/hardware_composer/vr_composer.cpp b/services/vr/hardware_composer/vr_composer.cpp
index c15f8fd..c45fbf4 100644
--- a/services/vr/hardware_composer/vr_composer.cpp
+++ b/services/vr/hardware_composer/vr_composer.cpp
@@ -1,7 +1,25 @@
 #include "vr_composer.h"
 
+#include <binder/IPCThreadState.h>
+#include <binder/PermissionCache.h>
+
 namespace android {
 namespace dvr {
+namespace {
+
+bool CheckPermission() {
+  const android::IPCThreadState* ipc = android::IPCThreadState::self();
+  const pid_t pid = ipc->getCallingPid();
+  const uid_t uid = ipc->getCallingUid();
+  const bool permission = PermissionCache::checkPermission(
+      String16("android.permission.RESTRICTED_VR_ACCESS"), pid, uid);
+  if (!permission)
+    ALOGE("permission denied to pid=%d uid=%u", pid, uid);
+
+  return permission;
+}
+
+}  // namespace
 
 VrComposer::VrComposer() {}
 
@@ -11,6 +29,9 @@
     const sp<IVrComposerCallback>& callback) {
   std::lock_guard<std::mutex> guard(mutex_);
 
+  if (!CheckPermission())
+    return binder::Status::fromStatusT(PERMISSION_DENIED);
+
   if (callback_.get()) {
     ALOGE("Failed to register callback, already registered");
     return binder::Status::fromStatusT(ALREADY_EXISTS);

services/vr/virtual_touchpad/Android.bp

diff --git a/services/vr/virtual_touchpad/Android.bp b/services/vr/virtual_touchpad/Android.bp
index c8bc884..3d5dfb2 100644
--- a/services/vr/virtual_touchpad/Android.bp
+++ b/services/vr/virtual_touchpad/Android.bp
@@ -80,7 +80,6 @@
     cppflags: ["-std=c++11"],
     cflags: [
         "-DLOG_TAG=\"VrVirtualTouchpad\"",
-        "-DSELINUX_ACCESS_CONTROL",
     ],
     host_ldlibs: ["-llog"],
     name: "virtual_touchpad",

services/vr/virtual_touchpad/VirtualTouchpadService.cpp

diff --git a/services/vr/virtual_touchpad/VirtualTouchpadService.cpp b/services/vr/virtual_touchpad/VirtualTouchpadService.cpp
index 191bcfb..81edd32 100644
--- a/services/vr/virtual_touchpad/VirtualTouchpadService.cpp
+++ b/services/vr/virtual_touchpad/VirtualTouchpadService.cpp
@@ -122,9 +122,6 @@
 bool VirtualTouchpadService::CheckTouchPermission(pid_t* out_pid) {
   const android::IPCThreadState* ipc = android::IPCThreadState::self();
   *out_pid = ipc->getCallingPid();
-#ifdef SELINUX_ACCESS_CONTROL
-  return true;
-#else
   const uid_t uid = ipc->getCallingUid();
   const bool permission = PermissionCache::checkPermission(kTouchPermission, *out_pid, uid);
   if (!permission) {
@@ -132,7 +129,6 @@
           static_cast<long>(uid));
   }
   return permission;
-#endif
 }
 
 }  // namespace dvr