From 41b7c708217752a4b30cc022b5917957274c47e2 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Fri, 22 Mar 2019 16:55:56 -0700 Subject: Check /dev/binder access before calling defaultServiceManager() Vendor processes do not have access to /dev/binder. Calling defaultServiceManager() without RW permission will crash the process with error message "Binder driver could not be opened. Terminating." Normally, VNDK version of libcutils.so would not have the codepath of ashmemd. However, on non-VNDK this codepath is exercised. We check if the current process has permissions to /dev/binder before calling defaultServiceManager() to avoid crashing. The calling code in libcutils.so handles inability to connect ashmemd correctly. It will fall back to opening /dev/ashmem directly. Vendor code should already have permissions for that. This SELinux denial shows which permissions need to be checked for: avc: denied { read write } for name="binder" dev="tmpfs" ino=5570 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:binder_device:s0 tclass=chr_file permissive=0 Note that the problem only manifests on non-VNDK devices. Bug: 129073672 Test: ashmemd_test Test: VtsHalSensorsV1_0TargetTest --gtest_filter=SensorsHidlTest.AccelerometerAshmemDirectReportOperationNormal Change-Id: I6f4992fd701de77db7b0f9a1b0f1c7b58e547aec --- ashmemd_client.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ashmemd_client.cpp b/ashmemd_client.cpp index 3380209..04227ba 100644 --- a/ashmemd_client.cpp +++ b/ashmemd_client.cpp @@ -28,6 +28,11 @@ namespace android { namespace ashmemd { sp getAshmemService() { + // Calls to defaultServiceManager() crash the process if it doesn't have appropriate + // binder permissions. Check these permissions proactively. + if (access("/dev/binder", R_OK | W_OK) != 0) { + return nullptr; + } sp sm = android::defaultServiceManager(); sp binder = sm->checkService(String16("ashmem_device_service")); return interface_cast(binder); -- cgit v1.2.3