Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 023509e4 authored by Hui Yu's avatar Hui Yu
Browse files

Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions. 

This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.

Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java#testSpoofPackageName
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
BYPASS_INCLUSIVE_LANGUAGE_REASON=Legacy API
parent 938c647b

services/core/java/com/android/server/am/ActiveServices.java

+28 −4
Original line number Diff line number Diff line
@@ -4983,11 +4983,18 @@ public final class ActiveServices { 
            return true;

        }





        if (verifyPackage(callingPackage, callingUid)) { 

            final boolean isWhiteListedPackage = 

                    mWhiteListAllowWhileInUsePermissionInFgs.contains(callingPackage);

            if (isWhiteListedPackage) {

                return true;

            }

        } else {

            EventLog.writeEvent(0x534e4554, "215003903", callingUid,

                    "callingPackage:" + callingPackage + " does not belong to callingUid:"

                    + callingUid);

        }



        // Is the calling UID a device owner app?

        final boolean isDeviceOwner = mAm.mInternal.isDeviceOwner(callingUid);
@@ -5025,4 +5032,21 @@ public final class ActiveServices { 
        r.mAllowWhileInUsePermissionInFgs = false;

        r.mLastSetFgsRestrictionTime = 0;

    }



    /**

     * Checks if a given packageName belongs to a given uid.

     * @param packageName the package of the caller

     * @param uid the uid of the caller

     * @return true or false

     */

    private boolean verifyPackage(String packageName, int uid) {

        if (uid == ROOT_UID || uid == SYSTEM_UID) {

            //System and Root are always allowed

            return true;

        }

        final int userId = UserHandle.getUserId(uid);

        final int packageUid = mAm.getPackageManagerInternalLocked()

                .getPackageUid(packageName, PackageManager.MATCH_DEBUG_TRIAGED_MISSING, userId);

        return UserHandle.isSameApp(uid, packageUid);

    }

}