Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 263c70d6 authored by Chirayu Desai's avatar Chirayu Desai Committed by Michael Bestas
Browse files

hasRestrictedModeAccess: Clear calling identity when checking network capabilities 

* This code ends up being called from Datura, the firewall app,
  which would fail with:
java.lang.SecurityException: Package android does not belong to 10139
   at android.net.NetworkPolicyManager.removeUidPolicy(NetworkPolicyManager.java:352)
   at org.calyxos.datura.settings.SettingsManager.setAppRestriction(SettingsManager.java:108)
Caused by: android.os.RemoteException: Remote stack trace:
   at android.app.AppOpsManager.checkPackage(AppOpsManager.java:8552)
   at com.android.server.ConnectivityService.getNetworkCapabilities(ConnectivityService.java:2042)
   at android.net.ConnectivityManager.getNetworkCapabilities(ConnectivityManager.java:1563)
   at com.android.server.net.NetworkPolicyManagerService.hasRestrictedModeAccess(NetworkPolicyManagerService.java:4133)
   at com.android.server.net.NetworkPolicyManagerService.getNewRestrictedModeUidRule(NetworkPolicyManagerService.java:4116)
Package android does not belong to 10139
  where 10139 is the uid of the firewall app
* This should be safe since we're only checking the capabilities here,
  and not actually returning anything anywhere - just a boolean

Change-Id: Ia0b5790be19ad5aece0d30ae8e1a465f45f4fed6
parent 3792f09d

services/core/java/com/android/server/net/NetworkPolicyManagerService.java

+4 −0
Original line number Diff line number Diff line
@@ -4252,9 +4252,11 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { 
    }



    private boolean hasRestrictedModeAccess(int uid) {

        final long token = Binder.clearCallingIdentity();

        try {

            NetworkCapabilities nc = mConnManager.getNetworkCapabilities(

                    mConnManager.getActiveNetwork());

            Binder.restoreCallingIdentity(token);

            int policy = getUidPolicy(uid);

            if (nc != null

                    && ((nc.hasTransport(TRANSPORT_VPN) && ((policy & POLICY_REJECT_VPN) != 0))
@@ -4274,6 +4276,8 @@ public class NetworkPolicyManagerService extends INetworkPolicyManager.Stub { 
                    == PERMISSION_GRANTED;

        } catch (RemoteException e) {

            return false;

        } finally {

            Binder.restoreCallingIdentity(token);

        }

    }