diff options
author | Rajesh Nyamagoud <nyamagoud@google.com> | 2021-11-23 06:00:32 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-11-23 06:00:32 +0000 |
commit | a352d74ecc1c2f628f6192645f409594a0206528 (patch) | |
tree | 7edc8922167cbe2e12a2d90d718cdd30f82c8fcf | |
parent | e0808a31dc8239d74f0ae0e66a2ff0ca1422ed85 (diff) | |
parent | be4162e3e8499ec06e9ff6e1bde770eb417cbb34 (diff) | |
download | SecureElement-a352d74ecc1c2f628f6192645f409594a0206528.tar.gz |
Vendor modules are allowed access eSE only am: 62971439b8 am: 7585bd9583 am: edf3dd9dc1 am: be4162e3e8
Original change: https://android-review.googlesource.com/c/platform/packages/apps/SecureElement/+/1844197
Change-Id: I9733a0efeadee1ac6f81f4a19f199da3cb9484e9
-rw-r--r-- | src/com/android/se/SecureElementService.java | 52 |
1 files changed, 47 insertions, 5 deletions
diff --git a/src/com/android/se/SecureElementService.java b/src/com/android/se/SecureElementService.java index c7187e1..a493767 100644 --- a/src/com/android/se/SecureElementService.java +++ b/src/com/android/se/SecureElementService.java @@ -55,6 +55,7 @@ import java.util.ArrayList; import java.util.LinkedHashMap; import java.util.List; import java.util.NoSuchElementException; +import java.util.Vector; /** * Underlying implementation for OMAPI SEService @@ -74,14 +75,49 @@ public final class SecureElementService extends Service { @Override public String[] getReaders() throws RemoteException { - return mTerminals.keySet().toArray(new String[mTerminals.size()]); + try { + // This determines calling process is application/framework + String packageName = getPackageNameFromCallingUid(Binder.getCallingUid()); + Log.d(mTag, "getReaders() for " + packageName); + return mTerminals.keySet().toArray(new String[mTerminals.size()]); + } catch (AccessControlException e) { + // since packagename not found, UUID might be used to access + // allow only to use eSE readers with UUID based requests + Vector<String> eSEReaders = new Vector<String>(); + for (String reader : mTerminals.keySet()) { + if (reader.startsWith(SecureElementService.ESE_TERMINAL)) { + Log.i(mTag, "Adding Reader: " + reader); + eSEReaders.add(reader); + } + } + + return eSEReaders.toArray(new String[eSEReaders.size()]); + } } @Override public ISecureElementReader getReader(String reader) throws RemoteException { Log.d(mTag, "getReader() " + reader); - Terminal terminal = getTerminal(reader); - return terminal.new SecureElementReader(SecureElementService.this); + Terminal terminal = null; + try { + // This determines calling process is application/framework + String packageName = getPackageNameFromCallingUid(Binder.getCallingUid()); + Log.d(mTag, "getReader() for " + packageName); + terminal = getTerminal(reader); + } catch (AccessControlException e) { + // since packagename not found, UUID might be used to access + // allow only to use eSE readers with UUID based requests + if (reader.startsWith(SecureElementService.ESE_TERMINAL)) { + terminal = getTerminal(reader); + } else { + Log.d(mTag, "only eSE readers can access SE using UUID"); + } + } + if (terminal != null) { + return terminal.new SecureElementReader(SecureElementService.this); + } else { + throw new IllegalArgumentException("Reader: " + reader + " not supported"); + } } @Override @@ -346,7 +382,10 @@ public final class SecureElementService extends Service { // provided by vendors for the calling process UID // (vendor provide UUID mapping for native services to access secure element) Log.d(mTag, "openBasicChannel() trying to find mapping uuid"); - uuid = getUUIDFromCallingUid(Binder.getCallingUid()); + // Allow UUID based access only on embedded secure elements eSE. + if (mReader.getTerminal().getName().startsWith(SecureElementService.ESE_TERMINAL)) { + uuid = getUUIDFromCallingUid(Binder.getCallingUid()); + } if (uuid == null) { Log.e(mTag, "openBasicChannel() uuid mapping for calling uid is not found"); throw e; @@ -402,7 +441,10 @@ public final class SecureElementService extends Service { // provided by vendors for the calling process UID // (vendor provide UUID mapping for native services to access secure element) Log.d(mTag, "openLogicalChannel() trying to find mapping uuid"); - uuid = getUUIDFromCallingUid(Binder.getCallingUid()); + // Allow UUID based access only on embedded secure elements eSE. + if (mReader.getTerminal().getName().startsWith(SecureElementService.ESE_TERMINAL)) { + uuid = getUUIDFromCallingUid(Binder.getCallingUid()); + } if (uuid == null) { Log.e(mTag, "openLogicalChannel() uuid mapping for calling uid is not found"); throw e; |