Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 02b90551 authored by Joe Castro's avatar Joe Castro
Browse files

Don't remove permission when cleaning up orphaned tree on uninstall 

This is fixing a security bug in a relatively safe way. Fundamentally
this situation shouldn't be happening. It's an artifact of the way that
the manifest parsing is loose with types. We can consider a more
thorough and upstream fix for upcoming OS releases, but for impact risk
mitigation this is a relatively constrained change.

Bug: 225880325
Test: Tests are included for the more thorough fix.
Change-Id: I86801109ce2d9c2750c6dfef4bb0425df0ab135e
Merged-In: I86801109ce2d9c2750c6dfef4bb0425df0ab135e
(cherry picked from commit d8572e27)
parent e8072d98

services/core/java/com/android/server/pm/permission/PermissionManagerServiceImpl.java

+0 −21
Original line number Diff line number Diff line
@@ -4215,7 +4215,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt 
        }

        boolean changed = false;



        Set<Permission> needsUpdate = null;

        synchronized (mLock) {

            final Iterator<Permission> it = mRegistry.getPermissionTrees().iterator();

            while (it.hasNext()) {
@@ -4234,26 +4233,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerServiceInt 
                            + " that used to be declared by " + bp.getPackageName());

                    it.remove();

                }

                if (needsUpdate == null) {

                    needsUpdate = new ArraySet<>();

                }

                needsUpdate.add(bp);

            }

        }

        if (needsUpdate != null) {

            for (final Permission bp : needsUpdate) {

                final AndroidPackage sourcePkg =

                        mPackageManagerInt.getPackage(bp.getPackageName());

                final PackageStateInternal sourcePs =

                        mPackageManagerInt.getPackageStateInternal(bp.getPackageName());

                synchronized (mLock) {

                    if (sourcePkg != null && sourcePs != null) {

                        continue;

                    }

                    Slog.w(TAG, "Removing dangling permission tree: " + bp.getName()

                            + " from package " + bp.getPackageName());

                    mRegistry.removePermission(bp.getName());

                }

            }

        }

        return changed;