Check system_server PID in NetworkStack calls

Add a check that callers with UID 1000 always have the same PID. This is a proxy for checking that no system is designed to bind to the network stack unless it is the system_server, as otherwise either the system_server would start crashing, or that system would not have access to binder calls. Also remove access from PHONE_UID as it is not being used. Test: Flashed, WiFi working, Bluetooth reverse tethering shows no permission issue. Bug: 133209255 (patched automatically from Ib848aaaedfd599c1d4437378846c7dda74352019) (command: git -C [qt repo] show -p 4895c5 | patch -p3) Merged-In: I1205ae4b1062fe78f1e2283d6c308caa58651e86 Change-Id: I42215bd8b14d66d0150e7dac04fbb28feef991a6
author: Remi NGUYEN VAN <reminv@google.com> 2019-06-04 16:23:23 +0900
committer: Remi NGUYEN VAN <reminv@google.com> 2019-06-04 16:26:00 +0900
commit: 8eb2a9143f31f0c2875438e00808f9aefe4753ab (patch)
tree: 3fb4f50e0b2a0eb815c43aed05a7c1be945e55e8
parent: 6ae25aa680a3d9d198f98c3a1ba7862037af7c4c (diff)
2 files changed, 33 insertions, 4 deletions
diff --git a/src/com/android/server/NetworkStackService.java b/src/com/android/server/NetworkStackService.java
index c394d4c..91cc8c3 100644
--- a/src/com/android/server/NetworkStackService.java
+++ b/src/com/android/server/NetworkStackService.java
@@ -189,6 +189,7 @@ public class NetworkStackService extends Service {
         @Override
         public void makeNetworkMonitor(Network network, String name, INetworkMonitorCallbacks cb)
                 throws RemoteException {
+            checkNetworkStackCallingPermission();
             updateSystemAidlVersion(cb.getInterfaceVersion());
             final SharedLog log = addValidationLogs(network, name);
             final NetworkMonitor nm = new NetworkMonitor(mContext, cb, network, log);
@@ -197,6 +198,7 @@ public class NetworkStackService extends Service {
 
         @Override
         public void makeIpClient(String ifName, IIpClientCallbacks cb) throws RemoteException {
+            checkNetworkStackCallingPermission();
             updateSystemAidlVersion(cb.getInterfaceVersion());
             final IpClient ipClient = new IpClient(mContext, ifName, cb, mObserverRegistry, this);
 
@@ -222,6 +224,7 @@ public class NetworkStackService extends Service {
         @Override
         public void fetchIpMemoryStore(@NonNull final IIpMemoryStoreCallbacks cb)
                 throws RemoteException {
+            checkNetworkStackCallingPermission();
             updateSystemAidlVersion(cb.getInterfaceVersion());
             cb.onIpMemoryStoreFetched(mIpMemoryStoreService);
         }
diff --git a/src/com/android/server/util/PermissionUtil.java b/src/com/android/server/util/PermissionUtil.java
index 6fbeead..6701384 100644
--- a/src/com/android/server/util/PermissionUtil.java
+++ b/src/com/android/server/util/PermissionUtil.java
@@ -16,30 +16,56 @@
 
 package com.android.server.util;
 
+import static android.os.Binder.getCallingPid;
 import static android.os.Binder.getCallingUid;
 
 import android.os.Process;
 import android.os.UserHandle;
 
+import java.util.concurrent.atomic.AtomicInteger;
+
 /**
  * Utility class to check calling permissions on the network stack.
  */
 public final class PermissionUtil {
+    private static final AtomicInteger sSystemPid = new AtomicInteger(-1);
 
     /**
      * Check that the caller is allowed to communicate with the network stack.
      * @throws SecurityException The caller is not allowed to communicate with the network stack.
      */
     public static void checkNetworkStackCallingPermission() {
-        // TODO: check that the calling PID is the system server.
         final int caller = getCallingUid();
-        if (caller != Process.SYSTEM_UID
-                && UserHandle.getAppId(caller) != Process.BLUETOOTH_UID
-                && UserHandle.getAppId(caller) != Process.PHONE_UID) {
+        if (caller == Process.SYSTEM_UID) {
+            checkConsistentSystemPid();
+            return;
+        }
+
+        if (UserHandle.getAppId(caller) != Process.BLUETOOTH_UID) {
             throw new SecurityException("Invalid caller: " + caller);
         }
     }
 
+    private static void checkConsistentSystemPid() {
+        // Apart from the system server process, no process with a system UID should try to
+        // communicate with the network stack. This is to ensure that the network stack does not
+        // need to maintain behavior for clients it was not designed to work with.
+        // Checking that all calls from a system UID originate from the same PID loosely enforces
+        // this restriction as if another system process calls the network stack first, the system
+        // server would lose access to the network stack and cause obvious failures. If the system
+        // server calls the network stack first, other clients would lose access as expected.
+        final int systemPid = getCallingPid();
+        if (sSystemPid.compareAndSet(-1, systemPid)) {
+            // sSystemPid was unset (-1): this was the first call
+            return;
+        }
+
+        if (sSystemPid.get() != systemPid) {
+            throw new SecurityException("Invalid PID for the system server, expected "
+                    + sSystemPid.get() + " but was called from " + systemPid);
+        }
+    }
+
     /**
      * Check that the caller is allowed to dump the network stack, e.g. dumpsys.
      * @throws SecurityException The caller is not allowed to dump the network stack.
author	Remi NGUYEN VAN <reminv@google.com>	2019-06-04 16:23:23 +0900
committer	Remi NGUYEN VAN <reminv@google.com>	2019-06-04 16:26:00 +0900
commit	8eb2a9143f31f0c2875438e00808f9aefe4753ab (patch)
tree	3fb4f50e0b2a0eb815c43aed05a7c1be945e55e8
parent	6ae25aa680a3d9d198f98c3a1ba7862037af7c4c (diff)