summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--cmds/servicemanager/Android.mk2
-rw-r--r--cmds/servicemanager/service_manager.c11
2 files changed, 10 insertions, 3 deletions
diff --git a/cmds/servicemanager/Android.mk b/cmds/servicemanager/Android.mk
index 155cfc5..5bafd53 100644
--- a/cmds/servicemanager/Android.mk
+++ b/cmds/servicemanager/Android.mk
@@ -18,7 +18,7 @@ LOCAL_MODULE_TAGS := optional
include $(BUILD_EXECUTABLE)
include $(CLEAR_VARS)
-LOCAL_SHARED_LIBRARIES := liblog libselinux
+LOCAL_SHARED_LIBRARIES := liblog libcutils libselinux
LOCAL_SRC_FILES := service_manager.c binder.c
LOCAL_CFLAGS += $(svc_c_flags)
LOCAL_MODULE := servicemanager
diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 7fa9a39..031f848 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -8,6 +8,8 @@
#include <stdlib.h>
#include <string.h>
+#include <cutils/multiuser.h>
+
#include <private/android_filesystem_config.h>
#include <selinux/android.h>
@@ -107,9 +109,14 @@ static bool check_mac_perms_from_lookup(pid_t spid, const char *perm, const char
return allowed;
}
-static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid)
+static int svc_can_register(const uint16_t *name, size_t name_len, pid_t spid, uid_t uid)
{
const char *perm = "add";
+
+ if (multiuser_get_app_id(uid) >= AID_APP) {
+ return 0; /* Don't allow apps to register services */
+ }
+
return check_mac_perms_from_lookup(spid, perm, str8(name, name_len)) ? 1 : 0;
}
@@ -204,7 +211,7 @@ int do_add_service(struct binder_state *bs,
if (!handle || (len == 0) || (len > 127))
return -1;
- if (!svc_can_register(s, len, spid)) {
+ if (!svc_can_register(s, len, spid, uid)) {
ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
str8(s, len), handle, uid);
return -1;