Home | History | Annotate | Download | only in audioflinger 
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 #include <binder/AppOpsManager.h>
     18 #include <binder/IPCThreadState.h>
     19 #include <binder/IServiceManager.h>
     20 #include <binder/PermissionCache.h>
     21 #include <private/android_filesystem_config.h>
     22 #include "ServiceUtilities.h"
     23 
     24 /* When performing permission checks we do not use permission cache for
     25  * runtime permissions (protection level dangerous) as they may change at
     26  * runtime. All other permissions (protection level normal and dangerous)
     27  * can be cached as they never change. Of course all permission checked
     28  * here are platform defined.
     29  */
     30 
     31 namespace android {
     32 
     33 // Not valid until initialized by AudioFlinger constructor.  It would have to be
     34 // re-initialized if the process containing AudioFlinger service forks (which it doesn't).
     35 // This is often used to validate binder interface calls within audioserver
     36 // (e.g. AudioPolicyManager to AudioFlinger).
     37 pid_t getpid_cached;
     38 
     39 // A trusted calling UID may specify the client UID as part of a binder interface call.
     40 // otherwise the calling UID must be equal to the client UID.
     41 bool isTrustedCallingUid(uid_t uid) {
     42     switch (uid) {
     43     case AID_MEDIA:
     44     case AID_AUDIOSERVER:
     45         return true;
     46     default:
     47         return false;
     48     }
     49 }
     50 
     51 bool recordingAllowed(const String16& opPackageName, pid_t pid, uid_t uid) {
     52     // we're always OK.
     53     if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
     54 
     55     static const String16 sRecordAudio("android.permission.RECORD_AUDIO");
     56 
     57     // We specify a pid and uid here as mediaserver (aka MediaRecorder or StageFrightRecorder)
     58     // may open a record track on behalf of a client.  Note that pid may be a tid.
     59     // IMPORTANT: Don't use PermissionCache - a runtime permission and may change.
     60     const bool ok = checkPermission(sRecordAudio, pid, uid);
     61     if (!ok) {
     62         ALOGE("Request requires android.permission.RECORD_AUDIO");
     63         return false;
     64     }
     65 
     66     // To permit command-line native tests
     67     if (uid == AID_ROOT) return true;
     68 
     69     String16 checkedOpPackageName = opPackageName;
     70 
     71     // In some cases the calling code has no access to the package it runs under.
     72     // For example, code using the wilhelm framework's OpenSL-ES APIs. In this
     73     // case we will get the packages for the calling UID and pick the first one
     74     // for attributing the app op. This will work correctly for runtime permissions
     75     // as for legacy apps we will toggle the app op for all packages in the UID.
     76     // The caveat is that the operation may be attributed to the wrong package and
     77     // stats based on app ops may be slightly off.
     78     if (checkedOpPackageName.size() <= 0) {
     79         sp<IServiceManager> sm = defaultServiceManager();
     80         sp<IBinder> binder = sm->getService(String16("permission"));
     81         if (binder == 0) {
     82             ALOGE("Cannot get permission service");
     83             return false;
     84         }
     85 
     86         sp<IPermissionController> permCtrl = interface_cast<IPermissionController>(binder);
     87         Vector<String16> packages;
     88 
     89         permCtrl->getPackagesForUid(uid, packages);
     90 
     91         if (packages.isEmpty()) {
     92             ALOGE("No packages for calling UID");
     93             return false;
     94         }
     95         checkedOpPackageName = packages[0];
     96     }
     97 
     98     AppOpsManager appOps;
     99     if (appOps.noteOp(AppOpsManager::OP_RECORD_AUDIO, uid, checkedOpPackageName)
    100             != AppOpsManager::MODE_ALLOWED) {
    101         ALOGE("Request denied by app op OP_RECORD_AUDIO");
    102         return false;
    103     }
    104 
    105     return true;
    106 }
    107 
    108 bool captureAudioOutputAllowed(pid_t pid, uid_t uid) {
    109     if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
    110     static const String16 sCaptureAudioOutput("android.permission.CAPTURE_AUDIO_OUTPUT");
    111     bool ok = checkPermission(sCaptureAudioOutput, pid, uid);
    112     if (!ok) ALOGE("Request requires android.permission.CAPTURE_AUDIO_OUTPUT");
    113     return ok;
    114 }
    115 
    116 bool captureHotwordAllowed() {
    117     static const String16 sCaptureHotwordAllowed("android.permission.CAPTURE_AUDIO_HOTWORD");
    118     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
    119     bool ok = PermissionCache::checkCallingPermission(sCaptureHotwordAllowed);
    120     if (!ok) ALOGE("android.permission.CAPTURE_AUDIO_HOTWORD");
    121     return ok;
    122 }
    123 
    124 bool settingsAllowed() {
    125     if (getpid_cached == IPCThreadState::self()->getCallingPid()) return true;
    126     static const String16 sAudioSettings("android.permission.MODIFY_AUDIO_SETTINGS");
    127     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
    128     bool ok = PermissionCache::checkCallingPermission(sAudioSettings);
    129     if (!ok) ALOGE("Request requires android.permission.MODIFY_AUDIO_SETTINGS");
    130     return ok;
    131 }
    132 
    133 bool modifyAudioRoutingAllowed() {
    134     static const String16 sModifyAudioRoutingAllowed("android.permission.MODIFY_AUDIO_ROUTING");
    135     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
    136     bool ok = PermissionCache::checkCallingPermission(sModifyAudioRoutingAllowed);
    137     if (!ok) ALOGE("android.permission.MODIFY_AUDIO_ROUTING");
    138     return ok;
    139 }
    140 
    141 bool dumpAllowed() {
    142     // don't optimize for same pid, since mediaserver never dumps itself
    143     static const String16 sDump("android.permission.DUMP");
    144     // IMPORTANT: Use PermissionCache - not a runtime permission and may not change.
    145     bool ok = PermissionCache::checkCallingPermission(sDump);
    146     // convention is for caller to dump an error message to fd instead of logging here
    147     //if (!ok) ALOGE("Request requires android.permission.DUMP");
    148     return ok;
    149 }
    150 
    151 } // namespace android
    152