1 /*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <binder/AppOpsManager.h>
18 #include <binder/IPCThreadState.h>
19 #include <binder/IServiceManager.h>
20 #include <binder/PermissionCache.h>
21 #include <private/android_filesystem_config.h>
22 #include "ServiceUtilities.h"
23
24 /* When performing permission checks we do not use permission cache for
25 * runtime permissions (protection level dangerous) as they may change at
26 * runtime. All other permissions (protection level normal and dangerous)
27 * can be cached as they never change. Of course all permission checked
28 * here are platform defined.
29 */
30
31 namespace android {
32
33 // Not valid until initialized by AudioFlinger constructor. It would have to be
34 // re-initialized if the process containing AudioFlinger service forks (which it doesn't).
35 // This is often used to validate binder interface calls within audioserver
36 // (e.g. AudioPolicyManager to AudioFlinger).
37 pid_t getpid_cached;
38
39 // A trusted calling UID may specify the client UID as part of a binder interface call.
40 // otherwise the calling UID must be equal to the client UID.
isTrustedCallingUid(uid_t uid)41 bool isTrustedCallingUid(uid_t uid) {
42 switch (uid) {
43 case AID_MEDIA:
44 case AID_AUDIOSERVER:
45 return true;
46 default:
47 return false;
48 }
49 }
50
recordingAllowed(const String16 & opPackageName,pid_t pid,uid_t uid)51 bool recordingAllowed(const String16& opPackageName, pid_t pid, uid_t uid) {
52 // we're always OK.
53 if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
54
55 static const String16 sRecordAudio("android.permission.RECORD_AUDIO");
56
57 // We specify a pid and uid here as mediaserver (aka MediaRecorder or StageFrightRecorder)
58 // may open a record track on behalf of a client. Note that pid may be a tid.
59 // IMPORTANT: Don't use PermissionCache - a runtime permission and may change.
60 const bool ok = checkPermission(sRecordAudio, pid, uid);
61 if (!ok) {
62 ALOGE("Request requires android.permission.RECORD_AUDIO");
63 return false;
64 }
65
66 // To permit command-line native tests
67 if (uid == AID_ROOT) return true;
68
69 String16 checkedOpPackageName = opPackageName;
70
71 // In some cases the calling code has no access to the package it runs under.
72 // For example, code using the wilhelm framework's OpenSL-ES APIs. In this
73 // case we will get the packages for the calling UID and pick the first one
74 // for attributing the app op. This will work correctly for runtime permissions
75 // as for legacy apps we will toggle the app op for all packages in the UID.
76 // The caveat is that the operation may be attributed to the wrong package and
77 // stats based on app ops may be slightly off.
78 if (checkedOpPackageName.size() <= 0) {
79 sp<IServiceManager> sm = defaultServiceManager();
80 sp<IBinder> binder = sm->getService(String16("permission"));
81 if (binder == 0) {
82 ALOGE("Cannot get permission service");
83 return false;
84 }
85
86 sp<IPermissionController> permCtrl = interface_cast<IPermissionController>(binder);
87 Vector<String16> packages;
88
89 permCtrl->getPackagesForUid(uid, packages);
90
91 if (packages.isEmpty()) {
92 ALOGE("No packages for calling UID");
93 return false;
94 }
95 checkedOpPackageName = packages[0];
96 }
97
98 AppOpsManager appOps;
99 if (appOps.noteOp(AppOpsManager::OP_RECORD_AUDIO, uid, checkedOpPackageName)
100 != AppOpsManager::MODE_ALLOWED) {
101 ALOGE("Request denied by app op OP_RECORD_AUDIO");
102 return false;
103 }
104
105 return true;
106 }
107
captureAudioOutputAllowed(pid_t pid,uid_t uid)108 bool captureAudioOutputAllowed(pid_t pid, uid_t uid) {
109 if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
110 static const String16 sCaptureAudioOutput("android.permission.CAPTURE_AUDIO_OUTPUT");
111 bool ok = checkPermission(sCaptureAudioOutput, pid, uid);
112 if (!ok) ALOGE("Request requires android.permission.CAPTURE_AUDIO_OUTPUT");
113 return ok;
114 }
115
captureHotwordAllowed()116 bool captureHotwordAllowed() {
117 static const String16 sCaptureHotwordAllowed("android.permission.CAPTURE_AUDIO_HOTWORD");
118 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
119 bool ok = PermissionCache::checkCallingPermission(sCaptureHotwordAllowed);
120 if (!ok) ALOGE("android.permission.CAPTURE_AUDIO_HOTWORD");
121 return ok;
122 }
123
settingsAllowed()124 bool settingsAllowed() {
125 if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
126 static const String16 sAudioSettings("android.permission.MODIFY_AUDIO_SETTINGS");
127 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
128 bool ok = PermissionCache::checkCallingPermission(sAudioSettings);
129 if (!ok) ALOGE("Request requires android.permission.MODIFY_AUDIO_SETTINGS");
130 return ok;
131 }
132
modifyAudioRoutingAllowed()133 bool modifyAudioRoutingAllowed() {
134 static const String16 sModifyAudioRoutingAllowed("android.permission.MODIFY_AUDIO_ROUTING");
135 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
136 bool ok = PermissionCache::checkCallingPermission(sModifyAudioRoutingAllowed);
137 if (!ok) ALOGE("android.permission.MODIFY_AUDIO_ROUTING");
138 return ok;
139 }
140
dumpAllowed()141 bool dumpAllowed() {
142 // don't optimize for same pid, since mediaserver never dumps itself
143 static const String16 sDump("android.permission.DUMP");
144 // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
145 bool ok = PermissionCache::checkCallingPermission(sDump);
146 // convention is for caller to dump an error message to fd instead of logging here
147 //if (!ok) ALOGE("Request requires android.permission.DUMP");
148 return ok;
149 }
150
151 } // namespace android
152