1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <binder/AppOpsManager.h>
18 #include <binder/IPCThreadState.h>
19 #include <binder/IServiceManager.h>
20 #include <binder/PermissionCache.h>
21 #include <private/android_filesystem_config.h>
22 #include "ServiceUtilities.h"
23 
24 /* When performing permission checks we do not use permission cache for
25  * runtime permissions (protection level dangerous) as they may change at
26  * runtime. All other permissions (protection level normal and dangerous)
27  * can be cached as they never change. Of course all permission checked
28  * here are platform defined.
29  */
30 
31 namespace android {
32 
33 // Not valid until initialized by AudioFlinger constructor.  It would have to be
34 // re-initialized if the process containing AudioFlinger service forks (which it doesn't).
35 // This is often used to validate binder interface calls within audioserver
36 // (e.g. AudioPolicyManager to AudioFlinger).
37 pid_t getpid_cached;
38 
39 // A trusted calling UID may specify the client UID as part of a binder interface call.
40 // otherwise the calling UID must be equal to the client UID.
isTrustedCallingUid(uid_t uid)41 bool isTrustedCallingUid(uid_t uid) {
42     switch (uid) {
43     case AID_MEDIA:
44     case AID_AUDIOSERVER:
45         return true;
46     default:
47         return false;
48     }
49 }
50 
recordingAllowed(const String16 & opPackageName,pid_t pid,uid_t uid)51 bool recordingAllowed(const String16& opPackageName, pid_t pid, uid_t uid) {
52     // we're always OK.
53     if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
54 
55     static const String16 sRecordAudio("android.permission.RECORD_AUDIO");
56 
57     // We specify a pid and uid here as mediaserver (aka MediaRecorder or StageFrightRecorder)
58     // may open a record track on behalf of a client.  Note that pid may be a tid.
59     // IMPORTANT: Don't use PermissionCache - a runtime permission and may change.
60     const bool ok = checkPermission(sRecordAudio, pid, uid);
61     if (!ok) {
62         ALOGE("Request requires android.permission.RECORD_AUDIO");
63         return false;
64     }
65 
66     // To permit command-line native tests
67     if (uid == AID_ROOT) return true;
68 
69     String16 checkedOpPackageName = opPackageName;
70 
71     // In some cases the calling code has no access to the package it runs under.
72     // For example, code using the wilhelm framework's OpenSL-ES APIs. In this
73     // case we will get the packages for the calling UID and pick the first one
74     // for attributing the app op. This will work correctly for runtime permissions
75     // as for legacy apps we will toggle the app op for all packages in the UID.
76     // The caveat is that the operation may be attributed to the wrong package and
77     // stats based on app ops may be slightly off.
78     if (checkedOpPackageName.size() <= 0) {
79         sp<IServiceManager> sm = defaultServiceManager();
80         sp<IBinder> binder = sm->getService(String16("permission"));
81         if (binder == 0) {
82             ALOGE("Cannot get permission service");
83             return false;
84         }
85 
86         sp<IPermissionController> permCtrl = interface_cast<IPermissionController>(binder);
87         Vector<String16> packages;
88 
89         permCtrl->getPackagesForUid(uid, packages);
90 
91         if (packages.isEmpty()) {
92             ALOGE("No packages for calling UID");
93             return false;
94         }
95         checkedOpPackageName = packages[0];
96     }
97 
98     AppOpsManager appOps;
99     if (appOps.noteOp(AppOpsManager::OP_RECORD_AUDIO, uid, checkedOpPackageName)
100             != AppOpsManager::MODE_ALLOWED) {
101         ALOGE("Request denied by app op OP_RECORD_AUDIO");
102         return false;
103     }
104 
105     return true;
106 }
107 
captureAudioOutputAllowed(pid_t pid,uid_t uid)108 bool captureAudioOutputAllowed(pid_t pid, uid_t uid) {
109     if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
110     static const String16 sCaptureAudioOutput("android.permission.CAPTURE_AUDIO_OUTPUT");
111     bool ok = checkPermission(sCaptureAudioOutput, pid, uid);
112     if (!ok) ALOGE("Request requires android.permission.CAPTURE_AUDIO_OUTPUT");
113     return ok;
114 }
115 
captureHotwordAllowed()116 bool captureHotwordAllowed() {
117     static const String16 sCaptureHotwordAllowed("android.permission.CAPTURE_AUDIO_HOTWORD");
118     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
119     bool ok = PermissionCache::checkCallingPermission(sCaptureHotwordAllowed);
120     if (!ok) ALOGE("android.permission.CAPTURE_AUDIO_HOTWORD");
121     return ok;
122 }
123 
settingsAllowed()124 bool settingsAllowed() {
125     if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
126     static const String16 sAudioSettings("android.permission.MODIFY_AUDIO_SETTINGS");
127     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
128     bool ok = PermissionCache::checkCallingPermission(sAudioSettings);
129     if (!ok) ALOGE("Request requires android.permission.MODIFY_AUDIO_SETTINGS");
130     return ok;
131 }
132 
modifyAudioRoutingAllowed()133 bool modifyAudioRoutingAllowed() {
134     static const String16 sModifyAudioRoutingAllowed("android.permission.MODIFY_AUDIO_ROUTING");
135     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
136     bool ok = PermissionCache::checkCallingPermission(sModifyAudioRoutingAllowed);
137     if (!ok) ALOGE("android.permission.MODIFY_AUDIO_ROUTING");
138     return ok;
139 }
140 
dumpAllowed()141 bool dumpAllowed() {
142     // don't optimize for same pid, since mediaserver never dumps itself
143     static const String16 sDump("android.permission.DUMP");
144     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
145     bool ok = PermissionCache::checkCallingPermission(sDump);
146     // convention is for caller to dump an error message to fd instead of logging here
147     //if (!ok) ALOGE("Request requires android.permission.DUMP");
148     return ok;
149 }
150 
151 } // namespace android
152