Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 19a655d7 authored by Pinyao Ting's avatar Pinyao Ting
Browse files

Prevend user spoofing in isRequestPinItemSupported 

This CL ensure the caller process is from the same user when calling
ShortcutService#isRequestPinItemSupported.

Bug: 191772737
Test: atest ShortcutManagerTest1 ShortcutManagerTest2
    ShortcutManagerTest3 ShortcutManagerTest4 ShortcutManagerTest5
    ShortcutManagerTest6 ShortcutManagerTest7 ShortcutManagerTest8
    ShortcutManagerTest9 ShortcutManagerTest10 ShortcutManagerTest11
    ShortcutManagerTest12
Test: atest CtsShortcutManagerTestCases
Change-Id: Icab7cdf25b870b88ecfde9b99e107bbeda0eb485
parent 72922c8a

services/core/java/com/android/server/pm/ShortcutService.java

+15 −0
Original line number Diff line number Diff line
@@ -1664,6 +1664,19 @@ public class ShortcutService extends IShortcutService.Stub { 
        mContext.enforceCallingPermission(permission, message);

    }



    private void verifyCallerUserId(@UserIdInt int userId) {

        if (isCallerSystem()) {

            return; // no check

        }



        final int callingUid = injectBinderCallingUid();



        // Otherwise, make sure the arguments are valid.

        if (UserHandle.getUserId(callingUid) != userId) {

            throw new SecurityException("Invalid user-ID");

        }

    }



    private void verifyCaller(@NonNull String packageName, @UserIdInt int userId) {

        Preconditions.checkStringNotEmpty(packageName, "packageName");
@@ -2847,6 +2860,8 @@ public class ShortcutService extends IShortcutService.Stub { 


    @Override

    public boolean isRequestPinItemSupported(int callingUserId, int requestType) {

        verifyCallerUserId(callingUserId);



        final long token = injectClearCallingIdentity();

        try {

            return mShortcutRequestPinProcessor