mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-13 18:04:35 -05:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
63 lines
3.2 KiB
Diff
63 lines
3.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Piyush Mehrotra <piee@google.com>
|
|
Date: Thu, 27 Jul 2023 19:35:14 +0000
|
|
Subject: [PATCH] Check caller's uid in backupAgentCreated callback
|
|
|
|
AM.backupAgentCreated() should enforce that caller belongs the package called in the API.
|
|
|
|
Bug: 289549315
|
|
Test: atest android.security.cts.ActivityManagerTest#testActivityManager_backupAgentCreated_rejectIfCallerUidNotEqualsPackageUid
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:52b91363583c4e2b68f1a818b067cefe04809285)
|
|
Merged-In: I9f3ae5ec0b8f00e020d471cc0eddf8bd8bdbb82d
|
|
Change-Id: I9f3ae5ec0b8f00e020d471cc0eddf8bd8bdbb82d
|
|
---
|
|
.../server/am/ActivityManagerService.java | 23 +++++++++++++++++--
|
|
1 file changed, 21 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
|
|
index ec8841debb7a..3e99e594a702 100644
|
|
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
|
|
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
|
|
@@ -3136,6 +3136,22 @@ public class ActivityManagerService extends IActivityManager.Stub
|
|
}
|
|
}
|
|
|
|
+ /**
|
|
+ * Enforces that the uid of the caller matches the uid of the package.
|
|
+ *
|
|
+ * @param packageName the name of the package to match uid against.
|
|
+ * @param callingUid the uid of the caller.
|
|
+ * @throws SecurityException if the calling uid doesn't match uid of the package.
|
|
+ */
|
|
+ private void enforceCallingPackage(String packageName, int callingUid) {
|
|
+ final int userId = UserHandle.getUserId(callingUid);
|
|
+ final int packageUid = getPackageManagerInternalLocked().getPackageUid(packageName,
|
|
+ /*flags=*/ 0, userId);
|
|
+ if (packageUid != callingUid) {
|
|
+ throw new SecurityException(packageName + " does not belong to uid " + callingUid);
|
|
+ }
|
|
+ }
|
|
+
|
|
@Override
|
|
public void setPackageScreenCompatMode(String packageName, int mode) {
|
|
mActivityTaskManager.setPackageScreenCompatMode(packageName, mode);
|
|
@@ -14345,13 +14361,16 @@ public class ActivityManagerService extends IActivityManager.Stub
|
|
// A backup agent has just come up
|
|
@Override
|
|
public void backupAgentCreated(String agentPackageName, IBinder agent, int userId) {
|
|
+ final int callingUid = Binder.getCallingUid();
|
|
+ enforceCallingPackage(agentPackageName, callingUid);
|
|
+
|
|
// Resolve the target user id and enforce permissions.
|
|
- userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
|
|
+ userId = mUserController.handleIncomingUser(Binder.getCallingPid(), callingUid,
|
|
userId, /* allowAll */ false, ALLOW_FULL_ONLY, "backupAgentCreated", null);
|
|
if (DEBUG_BACKUP) {
|
|
Slog.v(TAG_BACKUP, "backupAgentCreated: " + agentPackageName + " = " + agent
|
|
+ " callingUserId = " + UserHandle.getCallingUserId() + " userId = " + userId
|
|
- + " callingUid = " + Binder.getCallingUid() + " uid = " + Process.myUid());
|
|
+ + " callingUid = " + callingUid + " uid = " + Process.myUid());
|
|
}
|
|
|
|
synchronized(this) {
|