Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / fc92d5df3e2393616e665592eb82a0c3279b17f7^! / .
commitfc92d5df3e2393616e665592eb82a0c3279b17f7[log] [tgz]
authorJeongik Cha <jeongik@google.com>Fri Nov 01 18:00:51 2024 +0900
committerJeongik Cha <jeongik@google.com>Fri Nov 01 19:56:26 2024 +0900
tree5522970f0471efc355a2d29dfe808211618cdf22
parent000d92e42c57753e1f70e978df738c3dd2e95f86 [diff]
Debian service should check its caller is the vm

Bug: 376162749
Test: check grpc call
Change-Id: I7566e3ca395a962ba404c3ab6928aebf8f2f8cea

diff --git a/libs/vm_launcher_lib/java/com/android/virtualization/vmlauncher/VmLauncherService.java b/libs/vm_launcher_lib/java/com/android/virtualization/vmlauncher/VmLauncherService.java
index 5cd7b92..e5d68cc 100644
--- a/libs/vm_launcher_lib/java/com/android/virtualization/vmlauncher/VmLauncherService.java
+++ b/libs/vm_launcher_lib/java/com/android/virtualization/vmlauncher/VmLauncherService.java

@@ -27,11 +27,18 @@
 import android.system.virtualmachine.VirtualMachineException;
 import android.util.Log;
 
+import io.grpc.Grpc;
 import io.grpc.InsecureServerCredentials;
+import io.grpc.Metadata;
 import io.grpc.Server;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
 import io.grpc.okhttp.OkHttpServerBuilder;
 
 import java.io.IOException;
+import java.net.InetSocketAddress;
 import java.nio.file.Path;
 import java.util.Objects;
 import java.util.concurrent.ExecutorService;
@@ -137,6 +144,31 @@
     }
 
     private void startDebianServer() {
+        ServerInterceptor interceptor =
+                new ServerInterceptor() {
+                    @Override
+                    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
+                            ServerCall<ReqT, RespT> call,
+                            Metadata headers,
+                            ServerCallHandler<ReqT, RespT> next) {
+                        // Refer to VirtualizationSystemService.TetheringService
+                        final String VM_STATIC_IP_ADDR = "192.168.0.2";
+                        InetSocketAddress remoteAddr =
+                                (InetSocketAddress)
+                                        call.getAttributes().get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR);
+
+                        if (remoteAddr != null
+                                && Objects.equals(
+                                        remoteAddr.getAddress().getHostAddress(),
+                                        VM_STATIC_IP_ADDR)) {
+                            // Allow the request only if it is from VM
+                            return next.startCall(call, headers);
+                        }
+                        Log.d(TAG, "blocked grpc request from " + remoteAddr);
+                        call.close(Status.Code.PERMISSION_DENIED.toStatus(), new Metadata());
+                        return new ServerCall.Listener<ReqT>() {};
+                    }
+                };
         new Thread(
                         () -> {
                             // TODO(b/372666638): gRPC for java doesn't support vsock for now.
@@ -147,6 +179,7 @@
                                 mServer =
                                         OkHttpServerBuilder.forPort(
                                                         port, InsecureServerCredentials.create())
+                                                .intercept(interceptor)
                                                 .addService(new DebianServiceImpl(this))
                                                 .build()
                                                 .start();