Sunday, January 30, 2011

taintdroid code reading 3.

I read a diff of services/java/com/android/server/LocationManagerService.java.
It is almost the same as the diff of telephony. When location update message is received, the location is stored in Taint object as following:


location.setLatitude(Taint.addTaintDouble(location.getLatitude(), tag));

But I cannot understand the reason why obtained value is set again, that is, why setLatitude is called.
And the other point I cannot understand is that how to distinguish the values. For example, the below is a code to store latitude and location.

    location.setLatitude(Taint.addTaintDouble(location.getLatitude(), tag));
    location.setLongitude(Taint.addTaintDouble(location.getLongitude(), tag));

where tag is given here as following:

    int tag = Taint.TAINT_LOCATION;
    if (LocationManager.GPS_PROVIDER.equals(provider)) {
        tag |= Taint.TAINT_LOCATION_GPS;
    }
    if (LocationManager.NETWORK_PROVIDER.equals(provider)) {
        tag |= Taint.TAINT_LOCATION_NET;
    }

Latitude and Longitude are added by addTaingDouble, but I cannot see how to distinguish latitude and longitude.
I paste the whole diff below.


diff --git a/services/java/com/android/server/LocationManagerService.java b/services/java/com/android/server/LocationManagerService.java
index bbb43d7..4a5846a 100644
--- a/services/java/com/android/server/LocationManagerService.java
+++ b/services/java/com/android/server/LocationManagerService.java
@@ -68,6 +68,10 @@ import com.android.internal.location.LocationProviderProxy;
 import com.android.internal.location.MockProvider;
 import com.android.internal.location.GpsNetInitiatedHandler;
 
+// begin WITH_TAINT_TRACKING
+import dalvik.system.Taint;
+// end WITH_TAINT_TRACKING
+
 /**
  * The service class that manages LocationProviders and issues location
  * updates and alerts.
@@ -1526,6 +1530,30 @@ public class LocationManagerService extends ILocationManager.Stub implements Run
                         Location location = (Location) msg.obj;
                         String provider = location.getProvider();
 
+   // begin WITH_TAINT_TRACKING
+   int tag = Taint.TAINT_LOCATION;
+   if (LocationManager.GPS_PROVIDER.equals(provider)) {
+       tag |= Taint.TAINT_LOCATION_GPS;
+   }
+   if (LocationManager.NETWORK_PROVIDER.equals(provider)) {
+       tag |= Taint.TAINT_LOCATION_NET;
+   }
+   location.setLatitude(Taint.addTaintDouble(location.getLatitude(), tag));
+   location.setLongitude(Taint.addTaintDouble(location.getLongitude(), tag));
+   if (location.hasAltitude()) {
+       location.setAltitude(Taint.addTaintDouble(location.getAltitude(), tag));
+   }    
+   if (location.hasSpeed()) {
+       location.setSpeed(Taint.addTaintFloat(location.getSpeed(), tag));
+   }    
+   if (location.hasBearing()) {
+       location.setBearing(Taint.addTaintFloat(location.getBearing(), tag));
+   }    
+   if (location.hasAccuracy()) {
+       location.setAccuracy(Taint.addTaintFloat(location.getAccuracy(), tag));
+   }    
+   // end WITH_TAINT_TRACKING
+
                         // notify other providers of the new location
                         for (int i = mProviders.size() - 1; i >= 0; i--) {
                             LocationProviderProxy proxy = mProviders.get(i);

Also, the diff of location/java/com/android/internal/location/GpsLocationProvider.java is almost the same handling as LocationManagerService.java, that is, when location updated message is received, the values are set in Taint object.

Next, I'll read the diff for media.

No comments: