Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10a48e10 authored by Rhed Jao's avatar Rhed Jao
Browse files

Enforce cross user permission to queryContentProviders api 

The cl fixes the api allowing application to query providers
installed in other user without holding cross user permission if the
given process name is not null.

Bug: 237405034
Test: atest CrossUserPackageVisibilityTests
Change-Id: I79aa15de7599aadf6f4e0ce7ce7885ba7effb5cb
parent 011618a5

services/core/java/com/android/server/pm/ComputerEngine.java

+2 −0
Original line number Diff line number Diff line
@@ -5008,6 +5008,8 @@ public class ComputerEngine implements Computer { 
        final int callingUid = Binder.getCallingUid();

        final int userId = processName != null ? UserHandle.getUserId(uid)

                : UserHandle.getCallingUserId();

        enforceCrossUserPermission(callingUid, userId, false /* requireFullPermission */,

                false /* checkShell */, "queryContentProviders");

        if (!mUserManager.exists(userId)) return ParceledListSlice.emptyList();

        flags = updateFlagsForComponent(flags, userId);

        ArrayList<ProviderInfo> finalList = null;