audio: filter reserved binder calls
Block incoming binder calls to audio flinger and audio policy service
for sensitive functions if they are not coming from a system UID.
Bug: 72278478
Test: audio smoke tests. CTS tests for AudioTrack and AudioRecord
Change-Id: I78e02efffe135d5450ced125e51e2084719ca03d
diff --git a/media/libaudioclient/IAudioPolicyService.cpp b/media/libaudioclient/IAudioPolicyService.cpp
index b91e4cf..8f5ff30 100644
--- a/media/libaudioclient/IAudioPolicyService.cpp
+++ b/media/libaudioclient/IAudioPolicyService.cpp
@@ -27,7 +27,7 @@
#include <media/AudioEffect.h>
#include <media/IAudioPolicyService.h>
-
+#include <private/android_filesystem_config.h>
#include <system/audio.h>
namespace android {
@@ -861,6 +861,27 @@
break;
}
+ // make sure the following transactions come from system components
+ switch (code) {
+ case SET_DEVICE_CONNECTION_STATE:
+ case HANDLE_DEVICE_CONFIG_CHANGE:
+ case SET_PHONE_STATE:
+ case SET_RINGER_MODE:
+ case SET_FORCE_USE:
+ case INIT_STREAM_VOLUME:
+ case SET_STREAM_VOLUME:
+ case REGISTER_POLICY_MIXES:
+ case SET_MASTER_MONO:
+ if (IPCThreadState::self()->getCallingUid() >= AID_APP_START) {
+ ALOGW("%s: transaction %d received from PID %d unauthorized UID %d",
+ __func__, code, IPCThreadState::self()->getCallingPid(),
+ IPCThreadState::self()->getCallingUid());
+ return INVALID_OPERATION;
+ }
+ default:
+ break;
+ }
+
switch (code) {
case SET_DEVICE_CONNECTION_STATE: {
CHECK_INTERFACE(IAudioPolicyService, data, reply);