am 52781414: am fa8d83d9: Merge "Restrict lockdown and firewall to AID_SYSTEM." into jb-mr1-dev am: e4e3c9dce2

Original change: undetermined Change-Id: I17c0bfed7fc8c68978901d61e387d7f725a97c9d
2021-05-31 05:47:52 +00:00
parent 99109f95ce e4e3c9dce2
commit 12f1bce81c
1 changed files with 9 additions and 1 deletions
--- a/services/java/com/android/server/ConnectivityService.java
+++ b/services/java/com/android/server/ConnectivityService.java
@@ -77,6 +77,7 @@ import android.os.Looper;
 import android.os.Message;
 import android.os.ParcelFileDescriptor;
 import android.os.PowerManager;
+import android.os.Process;
 import android.os.RemoteException;
 import android.os.ServiceManager;
 import android.os.SystemClock;
@@ -3370,7 +3371,7 @@ public class ConnectivityService extends IConnectivityManager.Stub {

    @Override
    public boolean updateLockdownVpn() {
-        mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+        enforceSystemUid();

        // Tear down existing lockdown if profile was removed
        mLockdownEnabled = LockdownVpnTracker.isEnabled();
@@ -3421,4 +3422,11 @@ public class ConnectivityService extends IConnectivityManager.Stub {
            throw new IllegalStateException("Unavailable in lockdown mode");
        }
    }
+
+    private static void enforceSystemUid() {
+        final int uid = Binder.getCallingUid();
+        if (uid != Process.SYSTEM_UID) {
+            throw new SecurityException("Only available to AID_SYSTEM");
+        }
+    }
 }