diff --git a/media/libaudioclient/IAudioFlinger.cpp b/media/libaudioclient/IAudioFlinger.cpp index ae9c96fe72..f234e477d0 100644 --- a/media/libaudioclient/IAudioFlinger.cpp +++ b/media/libaudioclient/IAudioFlinger.cpp @@ -24,6 +24,7 @@ #include #include +#include #include "IAudioFlinger.h" @@ -881,6 +882,24 @@ status_t BnAudioFlinger::onTransact( break; } + // make sure the following transactions come from system components + switch (code) { + case SET_MASTER_VOLUME: + case SET_MASTER_MUTE: + case SET_MODE: + case SET_MIC_MUTE: + case SET_LOW_RAM_DEVICE: + case SYSTEM_READY: + if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) { + ALOGW("%s: transaction %d received from PID %d unauthorized UID %d", + __func__, code, IPCThreadState::self()->getCallingPid(), + IPCThreadState::self()->getCallingUid()); + return INVALID_OPERATION; + } + default: + break; + } + // Whitelist of relevant events to trigger log merging. // Log merging should activate during audio activity of any kind. This are considered the // most relevant events. diff --git a/media/libaudioclient/IAudioPolicyService.cpp b/media/libaudioclient/IAudioPolicyService.cpp index b91e4cf191..8f5ff30ac4 100644 --- a/media/libaudioclient/IAudioPolicyService.cpp +++ b/media/libaudioclient/IAudioPolicyService.cpp @@ -27,7 +27,7 @@ #include #include - +#include #include namespace android { @@ -861,6 +861,27 @@ status_t BnAudioPolicyService::onTransact( break; } + // make sure the following transactions come from system components + switch (code) { + case SET_DEVICE_CONNECTION_STATE: + case HANDLE_DEVICE_CONFIG_CHANGE: + case SET_PHONE_STATE: + case SET_RINGER_MODE: + case SET_FORCE_USE: + case INIT_STREAM_VOLUME: + case SET_STREAM_VOLUME: + case REGISTER_POLICY_MIXES: + case SET_MASTER_MONO: + if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) { + ALOGW("%s: transaction %d received from PID %d unauthorized UID %d", + __func__, code, IPCThreadState::self()->getCallingPid(), + IPCThreadState::self()->getCallingUid()); + return INVALID_OPERATION; + } + default: + break; + } + switch (code) { case SET_DEVICE_CONNECTION_STATE: { CHECK_INTERFACE(IAudioPolicyService, data, reply); diff --git a/services/audiopolicy/service/AudioPolicyService.cpp b/services/audiopolicy/service/AudioPolicyService.cpp index e5aed9a237..90a5a0f2c4 100644 --- a/services/audiopolicy/service/AudioPolicyService.cpp +++ b/services/audiopolicy/service/AudioPolicyService.cpp @@ -273,7 +273,7 @@ void AudioPolicyService::NotificationClient::onAudioPatchListUpdate() void AudioPolicyService::NotificationClient::onDynamicPolicyMixStateUpdate( const String8& regId, int32_t state) { - if (mAudioPolicyServiceClient != 0) { + if (mAudioPolicyServiceClient != 0 && mUid < AID_APP_START) { mAudioPolicyServiceClient->onDynamicPolicyMixStateUpdate(regId, state); } } @@ -283,7 +283,7 @@ void AudioPolicyService::NotificationClient::onRecordingConfigurationUpdate( const audio_config_base_t *clientConfig, const audio_config_base_t *deviceConfig, audio_patch_handle_t patchHandle) { - if (mAudioPolicyServiceClient != 0) { + if (mAudioPolicyServiceClient != 0 && mUid < AID_APP_START) { mAudioPolicyServiceClient->onRecordingConfigurationUpdate(event, clientInfo, clientConfig, deviceConfig, patchHandle); }