diff options
| author | Jeff Sharkey <jsharkey@android.com> | 2012-09-06 17:54:29 -0700 |
|---|---|---|
| committer | Jeff Sharkey <jsharkey@android.com> | 2012-09-06 17:59:14 -0700 |
| commit | f56e2435b64f9638e029777fa9492d42f157033e (patch) | |
| tree | fead98e1fcd7a8d31a1f0f03b72581b99cbc5fa1 /services/java/com/android/server/NetworkManagementService.java | |
| parent | c862d0fc0574de74bf1758f69c98ccbf8e506532 (diff) | |
Restrict lockdown and firewall to AID_SYSTEM.
Bug: 7076289
Change-Id: Iafa3054335e8b1c3c8c3b8db2a4191d4ed4c8c41
Diffstat (limited to 'services/java/com/android/server/NetworkManagementService.java')
| -rw-r--r-- | services/java/com/android/server/NetworkManagementService.java | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/services/java/com/android/server/NetworkManagementService.java b/services/java/com/android/server/NetworkManagementService.java index efa16af2942a..3ddae3eef51f 100644 --- a/services/java/com/android/server/NetworkManagementService.java +++ b/services/java/com/android/server/NetworkManagementService.java @@ -45,8 +45,10 @@ import android.net.NetworkUtils; import android.net.RouteInfo; import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiConfiguration.KeyMgmt; +import android.os.Binder; import android.os.Handler; import android.os.INetworkManagementService; +import android.os.Process; import android.os.RemoteCallbackList; import android.os.RemoteException; import android.os.SystemClock; @@ -1436,7 +1438,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallEnabled(boolean enabled) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); try { mConnector.execute("firewall", enabled ? "enable" : "disable"); mFirewallEnabled = enabled; @@ -1447,13 +1449,13 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public boolean isFirewallEnabled() { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); return mFirewallEnabled; } @Override public void setFirewallInterfaceRule(String iface, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1465,7 +1467,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallEgressSourceRule(String addr, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1477,7 +1479,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallEgressDestRule(String addr, int port, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1489,7 +1491,7 @@ public class NetworkManagementService extends INetworkManagementService.Stub @Override public void setFirewallUidRule(int uid, boolean allow) { - mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG); + enforceSystemUid(); Preconditions.checkState(mFirewallEnabled); final String rule = allow ? ALLOW : DENY; try { @@ -1499,6 +1501,13 @@ public class NetworkManagementService extends INetworkManagementService.Stub } } + private static void enforceSystemUid() { + final int uid = Binder.getCallingUid(); + if (uid != Process.SYSTEM_UID) { + throw new SecurityException("Only available to AID_SYSTEM"); + } + } + @Override public void monitor() { if (mConnector != null) { |