From 69fc5f8bd10ad3415a59a268b7e6f7b751f4aa9f Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Thu, 6 Sep 2012 17:54:29 -0700
Subject: [PATCH] Restrict lockdown and firewall to AID_SYSTEM.

Bug: 7076289
Change-Id: Iafa3054335e8b1c3c8c3b8db2a4191d4ed4c8c41
---
 .../java/com/android/server/ConnectivityService.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/services/java/com/android/server/ConnectivityService.java b/services/java/com/android/server/ConnectivityService.java
index cbbfda18c3..3a338a9847 100644
--- a/services/java/com/android/server/ConnectivityService.java
+++ b/services/java/com/android/server/ConnectivityService.java
@@ -77,6 +77,7 @@ import android.os.Looper;
 import android.os.Message;
 import android.os.ParcelFileDescriptor;
 import android.os.PowerManager;
+import android.os.Process;
 import android.os.RemoteException;
 import android.os.ServiceManager;
 import android.os.SystemClock;
@@ -3370,7 +3371,7 @@ public class ConnectivityService extends IConnectivityManager.Stub {
 
     @Override
     public boolean updateLockdownVpn() {
-        mContext.enforceCallingOrSelfPermission(CONNECTIVITY_INTERNAL, TAG);
+        enforceSystemUid();
 
         // Tear down existing lockdown if profile was removed
         mLockdownEnabled = LockdownVpnTracker.isEnabled();
@@ -3421,4 +3422,11 @@ public class ConnectivityService extends IConnectivityManager.Stub {
             throw new IllegalStateException("Unavailable in lockdown mode");
         }
     }
+
+    private static void enforceSystemUid() {
+        final int uid = Binder.getCallingUid();
+        if (uid != Process.SYSTEM_UID) {
+            throw new SecurityException("Only available to AID_SYSTEM");
+        }
+    }
 }