DivestOS/Patches/LineageOS-14.1/android_frameworks_base/396611.patch
Tavi 093df020a2
14.1: July ASB picks
Signed-off-by: Tavi <tavi@divested.dev>
2024-07-04 09:19:46 -04:00

48 lines
2.0 KiB
Diff

From e4ea22f79e2995c16f19b45925d4dd66f9813646 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Thu, 29 Feb 2024 12:03:05 +0000
Subject: [PATCH] [BACKPORT] Verify UID of incoming Zygote connections.
Only the system UID should be allowed to connect to the Zygote. While
for generic Zygotes this is also covered by SELinux policy, this is not
true for App Zygotes: the preload code running in an app zygote could
connect to another app zygote socket, if it had access to its (random)
socket address.
On the Java layer, simply check the UID when the connection is made. In
the native layer, this check was already present, but it actually didn't
work in the case where we receive a new incoming connection on the
socket, and receive a 'non-fork' command: in that case, we will simply
exit the native loop, and let the Java layer handle the command, without
any further UID checking.
Modified the native logic to drop new connections with a mismatching
UID, and to keep serving the existing connection (if it was still
there).
Bug: 319081336
Test: manual
(cherry picked from commit 2ffc7cb220e4220b7e108c4043a3f0f2a85b6508)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e397fd3d20c3f409311e411387ec1524ccecf085)
Merged-In: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
Change-Id: I3f85a17107849e2cd3e82d6ef15c90b9e2f26532
---
core/java/com/android/internal/os/ZygoteConnection.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index 85d84bb3f9867..40ab4839195bc 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -104,6 +104,10 @@ class ZygoteConnection {
Log.e(TAG, "Cannot read peer credentials", ex);
throw ex;
}
+
+ if (peer.getUid() != Process.SYSTEM_UID) {
+ throw new ZygoteSecurityException("Only system UID is allowed to connect to Zygote.");
+ }
}
/**