drmserver: use getCallingSid
Bug: 121035042
Test: `atest android.drm.cts`
CtsDrmTestCases: Passed: 43, Failed: 0
Change-Id: Ia85f437da29821d08dd585f87ac096de5f85b980
diff --git a/drm/drmserver/DrmManagerService.cpp b/drm/drmserver/DrmManagerService.cpp
index 2532275..2600a2c 100644
--- a/drm/drmserver/DrmManagerService.cpp
+++ b/drm/drmserver/DrmManagerService.cpp
@@ -58,22 +58,26 @@
return drm_perm_labels[index];
}
-bool DrmManagerService::selinuxIsProtectedCallAllowed(pid_t spid, drm_perm_t perm) {
+bool DrmManagerService::selinuxIsProtectedCallAllowed(pid_t spid, const char* ssid, drm_perm_t perm) {
if (selinux_enabled <= 0) {
return true;
}
- char *sctx;
+ char *sctx = NULL;
const char *selinux_class = "drmservice";
const char *str_perm = get_perm_label(perm);
- if (getpidcon(spid, &sctx) != 0) {
- ALOGE("SELinux: getpidcon(pid=%d) failed.\n", spid);
- return false;
+ if (ssid == NULL) {
+ android_errorWriteLog(0x534e4554, "121035042");
+
+ if (getpidcon(spid, &sctx) != 0) {
+ ALOGE("SELinux: getpidcon(pid=%d) failed.\n", spid);
+ return false;
+ }
}
- bool allowed = (selinux_check_access(sctx, drmserver_context, selinux_class,
- str_perm, NULL) == 0);
+ bool allowed = (selinux_check_access(ssid ? ssid : sctx, drmserver_context,
+ selinux_class, str_perm, NULL) == 0);
freecon(sctx);
return allowed;
@@ -86,10 +90,11 @@
IPCThreadState* ipcState = IPCThreadState::self();
uid_t uid = ipcState->getCallingUid();
pid_t spid = ipcState->getCallingPid();
+ const char* ssid = ipcState->getCallingSid();
for (unsigned int i = 0; i < trustedUids.size(); ++i) {
if (trustedUids[i] == uid) {
- return selinuxIsProtectedCallAllowed(spid, perm);
+ return selinuxIsProtectedCallAllowed(spid, ssid, perm);
}
}
return false;
@@ -97,7 +102,9 @@
void DrmManagerService::instantiate() {
ALOGV("instantiate");
- defaultServiceManager()->addService(String16("drm.drmManager"), new DrmManagerService());
+ sp<DrmManagerService> service = new DrmManagerService();
+ service->setRequestingSid(true);
+ defaultServiceManager()->addService(String16("drm.drmManager"), service);
if (0 >= trustedUids.size()) {
// TODO
diff --git a/drm/drmserver/DrmManagerService.h b/drm/drmserver/DrmManagerService.h
index 7aaeab5..2e27a3c 100644
--- a/drm/drmserver/DrmManagerService.h
+++ b/drm/drmserver/DrmManagerService.h
@@ -60,7 +60,7 @@
static const char *get_perm_label(drm_perm_t perm);
- static bool selinuxIsProtectedCallAllowed(pid_t spid, drm_perm_t perm);
+ static bool selinuxIsProtectedCallAllowed(pid_t spid, const char* ssid, drm_perm_t perm);
static bool isProtectedCallAllowed(drm_perm_t perm);