Revert "Add UID permission check to update_engine"
This reverts commit 596969b84d101cb494ec5faeb6cdd277e51c165c.
Reason for revert: Pixel doesn't go through system_server for update_engine APIs, therefore UID is not system
Change-Id: I7723e4c8b35f5f252eadb36b2a871a0b24950805
diff --git a/Android.bp b/Android.bp
index 9f90492..4db429d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -516,7 +516,6 @@
"aosp/hardware_android.cc",
"aosp/logging_android.cc",
"aosp/network_selector_android.cc",
- "aosp/permission.cc",
"aosp/update_attempter_android.cc",
"certificate_checker.cc",
"download_action.cc",
diff --git a/aosp/binder_service_android.cc b/aosp/binder_service_android.cc
index a89655f..37df9a5 100644
--- a/aosp/binder_service_android.cc
+++ b/aosp/binder_service_android.cc
@@ -22,10 +22,8 @@
#include <base/logging.h>
#include <binderwrapper/binder_wrapper.h>
#include <utils/String8.h>
-#include <android-base/stringprintf.h>
#include "update_engine/aosp/binder_service_android_common.h"
-#include "update_engine/aosp/permission.h"
using android::binder::Status;
using android::os::IUpdateEngineCallback;
@@ -36,7 +34,6 @@
namespace chromeos_update_engine {
-
BinderUpdateEngineAndroidService::BinderUpdateEngineAndroidService(
ServiceDelegateAndroidInterface* service_delegate)
: service_delegate_(service_delegate) {}
@@ -59,9 +56,6 @@
Status BinderUpdateEngineAndroidService::bind(
const android::sp<IUpdateEngineCallback>& callback, bool* return_value) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
// Send an status update on connection (except when no update sent so far).
// Even though the status update is oneway, it still returns an erroneous
// status in case of a selinux denial. We should at least check this status
@@ -91,9 +85,6 @@
Status BinderUpdateEngineAndroidService::unbind(
const android::sp<IUpdateEngineCallback>& callback, bool* return_value) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
const android::sp<IBinder>& callback_binder =
IUpdateEngineCallback::asBinder(callback);
auto binder_wrapper = android::BinderWrapper::Get();
@@ -108,9 +99,6 @@
int64_t payload_offset,
int64_t payload_size,
const vector<android::String16>& header_kv_pairs) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
const string payload_url{android::String8{url}.c_str()};
vector<string> str_headers = ToVecString(header_kv_pairs);
@@ -127,9 +115,6 @@
int64_t payload_offset,
int64_t payload_size,
const vector<android::String16>& header_kv_pairs) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
vector<string> str_headers = ToVecString(header_kv_pairs);
Error error;
@@ -141,9 +126,6 @@
}
Status BinderUpdateEngineAndroidService::suspend() {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
if (!service_delegate_->SuspendUpdate(&error))
return ErrorPtrToStatus(error);
@@ -151,9 +133,6 @@
}
Status BinderUpdateEngineAndroidService::resume() {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
if (!service_delegate_->ResumeUpdate(&error))
return ErrorPtrToStatus(error);
@@ -161,9 +140,6 @@
}
Status BinderUpdateEngineAndroidService::cancel() {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
if (!service_delegate_->CancelUpdate(&error))
return ErrorPtrToStatus(error);
@@ -171,9 +147,6 @@
}
Status BinderUpdateEngineAndroidService::resetStatus() {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
if (!service_delegate_->ResetStatus(&error))
return ErrorPtrToStatus(error);
@@ -182,9 +155,6 @@
Status BinderUpdateEngineAndroidService::setShouldSwitchSlotOnReboot(
const android::String16& metadata_filename) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
if (!service_delegate_->setShouldSwitchSlotOnReboot(
android::String8(metadata_filename).c_str(), &error)) {
@@ -194,9 +164,6 @@
}
Status BinderUpdateEngineAndroidService::resetShouldSwitchSlotOnReboot() {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
if (!service_delegate_->resetShouldSwitchSlotOnReboot(&error)) {
return ErrorPtrToStatus(error);
@@ -206,9 +173,6 @@
Status BinderUpdateEngineAndroidService::verifyPayloadApplicable(
const android::String16& metadata_filename, bool* return_value) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
const std::string payload_metadata{
android::String8{metadata_filename}.c_str()};
LOG(INFO) << "Received a request of verifying payload metadata in "
@@ -240,9 +204,6 @@
const android::String16& metadata_filename,
const vector<android::String16>& header_kv_pairs,
int64_t* return_value) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
const std::string payload_metadata{
android::String8{metadata_filename}.c_str()};
vector<string> str_headers = ToVecString(header_kv_pairs);
@@ -285,9 +246,6 @@
Status BinderUpdateEngineAndroidService::cleanupSuccessfulUpdate(
const android::sp<IUpdateEngineCallback>& callback) {
- if (const auto status = CheckCallingUid(); !status.isOk()) {
- return status;
- }
Error error;
service_delegate_->CleanupSuccessfulUpdate(
std::make_unique<CleanupSuccessfulUpdateCallback>(callback), &error);
diff --git a/aosp/permission.cc b/aosp/permission.cc
deleted file mode 100644
index 6f13b03..0000000
--- a/aosp/permission.cc
+++ /dev/null
@@ -1,39 +0,0 @@
-//
-// Copyright (C) 2023 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-#include <update_engine/aosp/permission.h>
-
-#include <array>
-#include <algorithm>
-#include <android-base/stringprintf.h>
-#include <android-base/logging.h>
-
-namespace chromeos_update_engine {
-
-android::binder::Status CheckCallingUid() {
- const auto calling_uid = android::BinderWrapper::Get()->GetCallingUid();
- if (!Contains(kAllowedUids, calling_uid)) {
- LOG(ERROR) << "Calling UID " << calling_uid
- << " is not allowed to access update_engine APIs";
- auto message =
- android::base::StringPrintf("UID %d is not allowed", calling_uid);
- return android::binder::Status::fromExceptionCode(
- android::binder::Status::EX_SECURITY,
- android::String8(message.c_str()));
- }
- return android::binder::Status::ok();
-}
-
-} // namespace chromeos_update_engine
diff --git a/aosp/permission.h b/aosp/permission.h
deleted file mode 100644
index 46eaad0..0000000
--- a/aosp/permission.h
+++ /dev/null
@@ -1,40 +0,0 @@
-//
-// Copyright (C) 2023 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
-#ifndef UPDATE_ENGINE_COMMON_PERMISSION_H_
-#define UPDATE_ENGINE_COMMON_PERMISSION_H_
-
-#include <binder/Status.h>
-#include <binderwrapper/binder_wrapper.h>
-#ifdef __ANDROID__
-#include <array>
-#include <private/android_filesystem_config.h>
-#include <algorithm>
-
-namespace chromeos_update_engine {
-static constexpr std::array<uid_t, 2> kAllowedUids = {AID_ROOT, AID_SYSTEM};
-
-template <typename Container, typename T>
-bool Contains(const Container& container, const T& t) {
- return std::find(container.begin(), container.end(), t) != container.end();
-}
-
-android::binder::Status CheckCallingUid();
-
-} // namespace chromeos_update_engine
-#endif // __ANDROID__
-
-#endif // UPDATE_ENGINE_COMMON_PERMISSION_H_
diff --git a/common/daemon_state_interface.h b/common/daemon_state_interface.h
index d6cf9da..831e38b 100644
--- a/common/daemon_state_interface.h
+++ b/common/daemon_state_interface.h
@@ -41,7 +41,8 @@
protected:
DaemonStateInterface() = default;
- DaemonStateInterface(const DaemonStateInterface&) = delete;
+
+ DISALLOW_COPY_AND_ASSIGN(DaemonStateInterface);
};
} // namespace chromeos_update_engine