audio: filter reserved binder calls

Block incoming binder calls to audio flinger and audio policy service for sensitive functions if they are not coming from a system UID. Bug: 72278478 Test: audio smoke tests. CTS tests for AudioTrack and AudioRecord Change-Id: I78e02efffe135d5450ced125e51e2084719ca03d
7 years ago · 4980df29f6
parent 5f07c65af5
commit 4980df29f6
3 changed files with 43 additions and 3 deletions
--- a/media/libaudioclient/IAudioFlinger.cpp
+++ b/media/libaudioclient/IAudioFlinger.cpp
@ -24,6 +24,7 @@

 #include <binder/IPCThreadState.h>
 #include <binder/Parcel.h>
+#include <private/android_filesystem_config.h>

 #include "IAudioFlinger.h"

@ -881,6 +882,24 @@ status_t BnAudioFlinger::onTransact(
            break;
    }

+    // make sure the following transactions come from system components
+    switch (code) {
+        case SET_MASTER_VOLUME:
+        case SET_MASTER_MUTE:
+        case SET_MODE:
+        case SET_MIC_MUTE:
+        case SET_LOW_RAM_DEVICE:
+        case SYSTEM_READY:
+            if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) {
+                ALOGW("%s: transaction %d received from PID %d unauthorized UID %d",
+                      __func__, code, IPCThreadState::self()->getCallingPid(),
+                      IPCThreadState::self()->getCallingUid());
+                return INVALID_OPERATION;
+            }
+        default:
+            break;
+    }
+
    // Whitelist of relevant events to trigger log merging.
    // Log merging should activate during audio activity of any kind. This are considered the
    // most relevant events.
--- a/media/libaudioclient/IAudioPolicyService.cpp
+++ b/media/libaudioclient/IAudioPolicyService.cpp
@ -27,7 +27,7 @@

 #include <media/AudioEffect.h>
 #include <media/IAudioPolicyService.h>
-
+#include <private/android_filesystem_config.h>
 #include <system/audio.h>

 namespace android {
@ -861,6 +861,27 @@ status_t BnAudioPolicyService::onTransact(
            break;
    }

+    // make sure the following transactions come from system components
+    switch (code) {
+        case SET_DEVICE_CONNECTION_STATE:
+        case HANDLE_DEVICE_CONFIG_CHANGE:
+        case SET_PHONE_STATE:
+        case SET_RINGER_MODE:
+        case SET_FORCE_USE:
+        case INIT_STREAM_VOLUME:
+        case SET_STREAM_VOLUME:
+        case REGISTER_POLICY_MIXES:
+        case SET_MASTER_MONO:
+            if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) {
+                ALOGW("%s: transaction %d received from PID %d unauthorized UID %d",
+                      __func__, code, IPCThreadState::self()->getCallingPid(),
+                      IPCThreadState::self()->getCallingUid());
+                return INVALID_OPERATION;
+            }
+        default:
+            break;
+    }
+
    switch (code) {
        case SET_DEVICE_CONNECTION_STATE: {
            CHECK_INTERFACE(IAudioPolicyService, data, reply);
--- a/services/audiopolicy/service/AudioPolicyService.cpp
+++ b/services/audiopolicy/service/AudioPolicyService.cpp
@ -273,7 +273,7 @@ void AudioPolicyService::NotificationClient::onAudioPatchListUpdate()
 void AudioPolicyService::NotificationClient::onDynamicPolicyMixStateUpdate(
        const String8& regId, int32_t state)
 {
-    if (mAudioPolicyServiceClient != 0) {
+    if (mAudioPolicyServiceClient != 0 && mUid < AID_APP_START) {
        mAudioPolicyServiceClient->onDynamicPolicyMixStateUpdate(regId, state);
    }
 }
@ -283,7 +283,7 @@ void AudioPolicyService::NotificationClient::onRecordingConfigurationUpdate(
        const audio_config_base_t *clientConfig, const audio_config_base_t *deviceConfig,
        audio_patch_handle_t patchHandle)
 {
-    if (mAudioPolicyServiceClient != 0) {
+    if (mAudioPolicyServiceClient != 0 && mUid < AID_APP_START) {
        mAudioPolicyServiceClient->onRecordingConfigurationUpdate(event, clientInfo,
                clientConfig, deviceConfig, patchHandle);
    }