RESTRICT AUTOMERGE: Allow System user to call getRegistration API.
Bug: 336976105
Test: Verified on CF that only system server is able to bind.
Ignore-AOSP-First: Backporting fix
Flag: EXEMPT Mainline module change.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d9c9db03fae63ac16d76cd68450e78c4a9285104)
Merged-In: I6ee570b9c432ece71442cb989dd37cf5df35dc55
Change-Id: I6ee570b9c432ece71442cb989dd37cf5df35dc55
diff --git a/app/AndroidManifest.xml b/app/AndroidManifest.xml
index 79a1783..b8ab08b 100644
--- a/app/AndroidManifest.xml
+++ b/app/AndroidManifest.xml
@@ -30,6 +30,7 @@
android:exported="false">
</service>
<service android:name=".service.RemoteProvisioningService"
+ android:permission="android.permission.BIND_RKP_SERVICE"
android:exported="true">
<intent-filter>
<action android:name="com.android.rkpdapp.IRemoteProvisioning"/>
diff --git a/app/src/com/android/rkpdapp/service/RemoteProvisioningService.java b/app/src/com/android/rkpdapp/service/RemoteProvisioningService.java
index 544d59d..ae96686 100644
--- a/app/src/com/android/rkpdapp/service/RemoteProvisioningService.java
+++ b/app/src/com/android/rkpdapp/service/RemoteProvisioningService.java
@@ -19,7 +19,9 @@
import android.app.Service;
import android.content.Context;
import android.content.Intent;
+import android.os.Binder;
import android.os.IBinder;
+import android.os.Process;
import android.os.RemoteException;
import android.util.Log;
@@ -64,6 +66,14 @@
return;
}
+ // Check that only system process and self calls binding.
+ if (Binder.getCallingUid() != Process.SYSTEM_UID
+ && Binder.getCallingUid() != Process.myUid()) {
+ callback.onError(
+ "Only system server and self are allowed to call RKP service.");
+ return;
+ }
+
SystemInterface systemInterface;
try {
systemInterface = ServiceManagerInterface.getInstance(irpcName);
