Vendor modules are allowed access eSE only am: 62971439b8 am: 7585bd9583 am: edf3dd9dc1 am: be4162e3e8

Original change: https://android-review.googlesource.com/c/platform/packages/apps/SecureElement/+/1844197 Change-Id: I9733a0efeadee1ac6f81f4a19f199da3cb9484e9
author: Rajesh Nyamagoud <nyamagoud@google.com> 2021-11-23 06:00:32 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2021-11-23 06:00:32 +0000
commit: a352d74ecc1c2f628f6192645f409594a0206528 (patch)
tree: 7edc8922167cbe2e12a2d90d718cdd30f82c8fcf
parent: e0808a31dc8239d74f0ae0e66a2ff0ca1422ed85 (diff)
parent: be4162e3e8499ec06e9ff6e1bde770eb417cbb34 (diff)
download: SecureElement-a352d74ecc1c2f628f6192645f409594a0206528.tar.gz
1 files changed, 47 insertions, 5 deletions
diff --git a/src/com/android/se/SecureElementService.java b/src/com/android/se/SecureElementService.java
index c7187e1..a493767 100644
--- a/src/com/android/se/SecureElementService.java
+++ b/src/com/android/se/SecureElementService.java
@@ -55,6 +55,7 @@ import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.NoSuchElementException;
+import java.util.Vector;
 
 /**
  * Underlying implementation for OMAPI SEService
@@ -74,14 +75,49 @@ public final class SecureElementService extends Service {
 
         @Override
         public String[] getReaders() throws RemoteException {
-            return mTerminals.keySet().toArray(new String[mTerminals.size()]);
+            try {
+                // This determines calling process is application/framework
+                String packageName = getPackageNameFromCallingUid(Binder.getCallingUid());
+                Log.d(mTag, "getReaders() for " + packageName);
+                return mTerminals.keySet().toArray(new String[mTerminals.size()]);
+            } catch (AccessControlException e) {
+                // since packagename not found, UUID might be used to access
+                // allow only to use eSE readers with UUID based requests
+                Vector<String> eSEReaders = new Vector<String>();
+                for (String reader : mTerminals.keySet()) {
+                    if (reader.startsWith(SecureElementService.ESE_TERMINAL)) {
+                        Log.i(mTag, "Adding Reader: " + reader);
+                        eSEReaders.add(reader);
+                    }
+                }
+
+                return eSEReaders.toArray(new String[eSEReaders.size()]);
+            }
         }
 
         @Override
         public ISecureElementReader getReader(String reader) throws RemoteException {
             Log.d(mTag, "getReader() " + reader);
-            Terminal terminal = getTerminal(reader);
-            return terminal.new SecureElementReader(SecureElementService.this);
+            Terminal terminal = null;
+            try {
+                // This determines calling process is application/framework
+                String packageName = getPackageNameFromCallingUid(Binder.getCallingUid());
+                Log.d(mTag, "getReader() for " + packageName);
+                terminal = getTerminal(reader);
+            } catch (AccessControlException e) {
+                // since packagename not found, UUID might be used to access
+                // allow only to use eSE readers with UUID based requests
+                if (reader.startsWith(SecureElementService.ESE_TERMINAL)) {
+                    terminal = getTerminal(reader);
+                } else {
+                    Log.d(mTag, "only eSE readers can access SE using UUID");
+                }
+            }
+            if (terminal != null) {
+                return terminal.new SecureElementReader(SecureElementService.this);
+            } else {
+                throw new IllegalArgumentException("Reader: " + reader + " not supported");
+            }
         }
 
         @Override
@@ -346,7 +382,10 @@ public final class SecureElementService extends Service {
                 // provided by vendors for the calling process UID
                 // (vendor provide UUID mapping for native services to access secure element)
                 Log.d(mTag, "openBasicChannel() trying to find mapping uuid");
-                uuid = getUUIDFromCallingUid(Binder.getCallingUid());
+                // Allow UUID based access only on embedded secure elements eSE.
+                if (mReader.getTerminal().getName().startsWith(SecureElementService.ESE_TERMINAL)) {
+                    uuid = getUUIDFromCallingUid(Binder.getCallingUid());
+                }
                 if (uuid == null) {
                     Log.e(mTag, "openBasicChannel() uuid mapping for calling uid is not found");
                     throw e;
@@ -402,7 +441,10 @@ public final class SecureElementService extends Service {
                 // provided by vendors for the calling process UID
                 // (vendor provide UUID mapping for native services to access secure element)
                 Log.d(mTag, "openLogicalChannel() trying to find mapping uuid");
-                uuid = getUUIDFromCallingUid(Binder.getCallingUid());
+                // Allow UUID based access only on embedded secure elements eSE.
+                if (mReader.getTerminal().getName().startsWith(SecureElementService.ESE_TERMINAL)) {
+                    uuid = getUUIDFromCallingUid(Binder.getCallingUid());
+                }
                 if (uuid == null) {
                     Log.e(mTag, "openLogicalChannel() uuid mapping for calling uid is not found");
                     throw e;
author	Rajesh Nyamagoud <nyamagoud@google.com>	2021-11-23 06:00:32 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2021-11-23 06:00:32 +0000
commit	a352d74ecc1c2f628f6192645f409594a0206528 (patch)
tree	7edc8922167cbe2e12a2d90d718cdd30f82c8fcf
parent	e0808a31dc8239d74f0ae0e66a2ff0ca1422ed85 (diff)
parent	be4162e3e8499ec06e9ff6e1bde770eb417cbb34 (diff)
download	SecureElement-a352d74ecc1c2f628f6192645f409594a0206528.tar.gz