commit 10b7123bd6ce29fe756422aeedc5cfe469c4309f
author Eric Laurent <elaurent@google.com> Fri Apr 13 18:14:44 2018 -0700
committer Eric Laurent <elaurent@google.com> Fri Apr 13 18:18:49 2018 -0700
tree 340803c949b9500ce5e2873fbf874fcec782fd3f
parent 258fb48d1498c8d34d6877700db993938cc89f71

audiopolicy: clear caller identity before calling audio policy manager

Audio policy manager methods must always be executed with the
level of priviledge of audioserver process.
After checking calling permissions, audio policy service will
clear binder caller identity before calling into audio policy manager.

Also add restrictions for start source and stop source binder
transactions.

Bug: 77869640
Test: manual audio smoke tests
Change-Id: I993d4fddcea9bfa3f44093c38406b85d69ca8890

services/audiopolicy/service/AudioPolicyService.h

diff --git a/services/audiopolicy/service/AudioPolicyService.h b/services/audiopolicy/service/AudioPolicyService.h
index b3bc12b..d8dd797 100644
--- a/services/audiopolicy/service/AudioPolicyService.h
+++ b/services/audiopolicy/service/AudioPolicyService.h
@@ -640,6 +640,22 @@
         bool isVirtualDevice;          // uses vitual device: updated by APM::getInputForAttr()
     };
 
+    // A class automatically clearing and restoring binder caller identity inside
+    // a code block (scoped variable)
+    // Declare one systematically before calling AudioPolicyManager methods so that they are
+    // executed with the same level of privilege as audioserver process.
+    class AutoCallerClear {
+    public:
+            AutoCallerClear() :
+                mToken(IPCThreadState::self()->clearCallingIdentity()) {}
+            ~AutoCallerClear() {
+                IPCThreadState::self()->restoreCallingIdentity(mToken);
+            }
+
+    private:
+        const   int64_t mToken;
+    };
+
     // Internal dump utilities.
     status_t dumpPermissionDenial(int fd);