From be7b89e155b48f51482adf90695300f6b963e0de Mon Sep 17 00:00:00 2001
From: Robert Shih <robertshih@google.com>
Date: Wed, 12 Feb 2020 20:02:34 -0800
Subject: [PATCH] wv hidl: only mediashell/mediadrmserver can call signRSA

Merge of go/wvgerrit/93524

Bug: 134787536
Bug: 148895349
Test: VtsHalDrmV1_3TargetTest
Change-Id: I48fb63d044271243fa1d290443d437f0697994d3
---
 libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp b/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
index 528b0f2e..2c9abf0a 100644
--- a/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
+++ b/libwvdrmengine/mediadrm/src_hidl/WVDrmPlugin.cpp
@@ -6,8 +6,10 @@
 
 //#define LOG_NDEBUG 0
 #define LOG_TAG "WVCdm"
+#include <hwbinder/IPCThreadState.h>
 #include <utils/Log.h>
 
+#include <cstring>
 #include <list>
 #include <stdlib.h>
 #include <string>
@@ -1721,6 +1723,14 @@ Return<void> WVDrmPlugin::signRSA(
     const hidl_vec<uint8_t>& wrappedKey,
     signRSA_cb _hidl_cb) {
 
+  const auto& self = android::hardware::IPCThreadState::self();
+  const char* sid = self->getCallingSid();
+  if (!sid || (!strstr(sid, "mediashell_app") && !strstr(sid, "mediadrmserver"))) {
+    ALOGE("Only mediashell/mediadrmserver can call signRSA");
+    _hidl_cb(Status::ERROR_DRM_UNKNOWN, hidl_vec<uint8_t>());
+    return Void();
+  }
+
   if (sessionId.size() == 0 || algorithm.size() == 0 ||
       message.size() == 0 || wrappedKey.size() == 0) {
     _hidl_cb(Status::BAD_VALUE, hidl_vec<uint8_t>());