Loading services/core/java/com/android/server/am/ContentProviderHelper.java +28 −7 Original line number Original line Diff line number Diff line Loading @@ -83,11 +83,13 @@ import com.android.internal.os.BackgroundThread; import com.android.internal.os.TimeoutRecord; import com.android.internal.os.TimeoutRecord; import com.android.internal.util.ArrayUtils; import com.android.internal.util.ArrayUtils; import com.android.internal.util.FrameworkStatsLog; import com.android.internal.util.FrameworkStatsLog; import com.android.server.LocalManagerRegistry; import com.android.server.LocalServices; import com.android.server.LocalServices; import com.android.server.RescueParty; import com.android.server.RescueParty; import com.android.server.pm.UserManagerInternal; import com.android.server.pm.UserManagerInternal; import com.android.server.pm.UserManagerService; import com.android.server.pm.UserManagerService; import com.android.server.pm.pkg.AndroidPackage; import com.android.server.pm.pkg.AndroidPackage; import com.android.server.sdksandbox.SdkSandboxManagerLocal; import java.io.FileDescriptor; import java.io.FileDescriptor; import java.io.PrintWriter; import java.io.PrintWriter; Loading Loading @@ -124,13 +126,6 @@ public class ContentProviderHelper { ContentProviderHolder getContentProvider(IApplicationThread caller, String callingPackage, ContentProviderHolder getContentProvider(IApplicationThread caller, String callingPackage, String name, int userId, boolean stable) { String name, int userId, boolean stable) { mService.enforceNotIsolatedCaller("getContentProvider"); mService.enforceNotIsolatedCaller("getContentProvider"); if (Process.isSdkSandboxUid(Binder.getCallingUid())) { // TODO(b/226318628): for sdk sandbox processes only allow accessing CPs registered by // the WebView apk. Slog.w(TAG, "Sdk sandbox process " + Binder.getCallingUid() + " is accessing content provider " + name + ". This access will most likely be blocked in the future"); } if (caller == null) { if (caller == null) { String msg = "null IApplicationThread when getting content provider " + name; String msg = "null IApplicationThread when getting content provider " + name; Slog.w(TAG, msg); Slog.w(TAG, msg); Loading Loading @@ -255,6 +250,7 @@ public class ContentProviderHelper { if (r != null && cpr.canRunHere(r)) { if (r != null && cpr.canRunHere(r)) { checkAssociationAndPermissionLocked(r, cpi, callingUid, userId, checkCrossUser, checkAssociationAndPermissionLocked(r, cpi, callingUid, userId, checkCrossUser, cpr.name.flattenToShortString(), startTime); cpr.name.flattenToShortString(), startTime); enforceContentProviderRestrictionsForSdkSandbox(cpi); // This provider has been published or is in the process // This provider has been published or is in the process // of being published... but it is also allowed to run // of being published... but it is also allowed to run Loading Loading @@ -447,6 +443,7 @@ public class ContentProviderHelper { // info and allow the caller to instantiate it. Only do // info and allow the caller to instantiate it. Only do // this if the provider is the same user as the caller's // this if the provider is the same user as the caller's // process, or can run as root (so can be in any process). // process, or can run as root (so can be in any process). enforceContentProviderRestrictionsForSdkSandbox(cpi); return cpr.newHolder(null, true); return cpr.newHolder(null, true); } } Loading Loading @@ -589,6 +586,8 @@ public class ContentProviderHelper { // Return a holder instance even if we are waiting for the publishing of the // Return a holder instance even if we are waiting for the publishing of the // provider, client will check for the holder.provider to see if it needs to wait // provider, client will check for the holder.provider to see if it needs to wait // for it. // for it. //todo(b/265965249) Need to perform cleanup before calling enforce method here enforceContentProviderRestrictionsForSdkSandbox(cpi); return cpr.newHolder(conn, false); return cpr.newHolder(conn, false); } } } } Loading Loading @@ -650,6 +649,7 @@ public class ContentProviderHelper { + " caller=" + callerName + "/" + Binder.getCallingUid()); + " caller=" + callerName + "/" + Binder.getCallingUid()); return null; return null; } } enforceContentProviderRestrictionsForSdkSandbox(cpi); return cpr.newHolder(conn, false); return cpr.newHolder(conn, false); } } Loading Loading @@ -1230,6 +1230,7 @@ public class ContentProviderHelper { appName = r.toString(); appName = r.toString(); } } enforceContentProviderRestrictionsForSdkSandbox(cpi); return checkContentProviderPermission(cpi, callingPid, Binder.getCallingUid(), return checkContentProviderPermission(cpi, callingPid, Binder.getCallingUid(), userId, checkUser, appName); userId, checkUser, appName); } } Loading Loading @@ -1998,6 +1999,26 @@ public class ContentProviderHelper { } } } } // Binder.clearCallingIdentity() shouldn't be called before this method // as Binder should have its original callingUid for the check private void enforceContentProviderRestrictionsForSdkSandbox(ProviderInfo cpi) { if (!Process.isSdkSandboxUid(Binder.getCallingUid())) { return; } final SdkSandboxManagerLocal sdkSandboxManagerLocal = LocalManagerRegistry.getManager(SdkSandboxManagerLocal.class); if (sdkSandboxManagerLocal == null) { throw new IllegalStateException("SdkSandboxManagerLocal not found " + "when checking whether SDK sandbox uid may " + "access the contentprovider."); } if (!sdkSandboxManagerLocal .canAccessContentProviderFromSdkSandbox(cpi)) { throw new SecurityException( "SDK sandbox uid may not access contentprovider " + cpi.name); } } /** /** * There are three ways to call this: * There are three ways to call this: * - no provider specified: dump all the providers * - no provider specified: dump all the providers Loading Loading
services/core/java/com/android/server/am/ContentProviderHelper.java +28 −7 Original line number Original line Diff line number Diff line Loading @@ -83,11 +83,13 @@ import com.android.internal.os.BackgroundThread; import com.android.internal.os.TimeoutRecord; import com.android.internal.os.TimeoutRecord; import com.android.internal.util.ArrayUtils; import com.android.internal.util.ArrayUtils; import com.android.internal.util.FrameworkStatsLog; import com.android.internal.util.FrameworkStatsLog; import com.android.server.LocalManagerRegistry; import com.android.server.LocalServices; import com.android.server.LocalServices; import com.android.server.RescueParty; import com.android.server.RescueParty; import com.android.server.pm.UserManagerInternal; import com.android.server.pm.UserManagerInternal; import com.android.server.pm.UserManagerService; import com.android.server.pm.UserManagerService; import com.android.server.pm.pkg.AndroidPackage; import com.android.server.pm.pkg.AndroidPackage; import com.android.server.sdksandbox.SdkSandboxManagerLocal; import java.io.FileDescriptor; import java.io.FileDescriptor; import java.io.PrintWriter; import java.io.PrintWriter; Loading Loading @@ -124,13 +126,6 @@ public class ContentProviderHelper { ContentProviderHolder getContentProvider(IApplicationThread caller, String callingPackage, ContentProviderHolder getContentProvider(IApplicationThread caller, String callingPackage, String name, int userId, boolean stable) { String name, int userId, boolean stable) { mService.enforceNotIsolatedCaller("getContentProvider"); mService.enforceNotIsolatedCaller("getContentProvider"); if (Process.isSdkSandboxUid(Binder.getCallingUid())) { // TODO(b/226318628): for sdk sandbox processes only allow accessing CPs registered by // the WebView apk. Slog.w(TAG, "Sdk sandbox process " + Binder.getCallingUid() + " is accessing content provider " + name + ". This access will most likely be blocked in the future"); } if (caller == null) { if (caller == null) { String msg = "null IApplicationThread when getting content provider " + name; String msg = "null IApplicationThread when getting content provider " + name; Slog.w(TAG, msg); Slog.w(TAG, msg); Loading Loading @@ -255,6 +250,7 @@ public class ContentProviderHelper { if (r != null && cpr.canRunHere(r)) { if (r != null && cpr.canRunHere(r)) { checkAssociationAndPermissionLocked(r, cpi, callingUid, userId, checkCrossUser, checkAssociationAndPermissionLocked(r, cpi, callingUid, userId, checkCrossUser, cpr.name.flattenToShortString(), startTime); cpr.name.flattenToShortString(), startTime); enforceContentProviderRestrictionsForSdkSandbox(cpi); // This provider has been published or is in the process // This provider has been published or is in the process // of being published... but it is also allowed to run // of being published... but it is also allowed to run Loading Loading @@ -447,6 +443,7 @@ public class ContentProviderHelper { // info and allow the caller to instantiate it. Only do // info and allow the caller to instantiate it. Only do // this if the provider is the same user as the caller's // this if the provider is the same user as the caller's // process, or can run as root (so can be in any process). // process, or can run as root (so can be in any process). enforceContentProviderRestrictionsForSdkSandbox(cpi); return cpr.newHolder(null, true); return cpr.newHolder(null, true); } } Loading Loading @@ -589,6 +586,8 @@ public class ContentProviderHelper { // Return a holder instance even if we are waiting for the publishing of the // Return a holder instance even if we are waiting for the publishing of the // provider, client will check for the holder.provider to see if it needs to wait // provider, client will check for the holder.provider to see if it needs to wait // for it. // for it. //todo(b/265965249) Need to perform cleanup before calling enforce method here enforceContentProviderRestrictionsForSdkSandbox(cpi); return cpr.newHolder(conn, false); return cpr.newHolder(conn, false); } } } } Loading Loading @@ -650,6 +649,7 @@ public class ContentProviderHelper { + " caller=" + callerName + "/" + Binder.getCallingUid()); + " caller=" + callerName + "/" + Binder.getCallingUid()); return null; return null; } } enforceContentProviderRestrictionsForSdkSandbox(cpi); return cpr.newHolder(conn, false); return cpr.newHolder(conn, false); } } Loading Loading @@ -1230,6 +1230,7 @@ public class ContentProviderHelper { appName = r.toString(); appName = r.toString(); } } enforceContentProviderRestrictionsForSdkSandbox(cpi); return checkContentProviderPermission(cpi, callingPid, Binder.getCallingUid(), return checkContentProviderPermission(cpi, callingPid, Binder.getCallingUid(), userId, checkUser, appName); userId, checkUser, appName); } } Loading Loading @@ -1998,6 +1999,26 @@ public class ContentProviderHelper { } } } } // Binder.clearCallingIdentity() shouldn't be called before this method // as Binder should have its original callingUid for the check private void enforceContentProviderRestrictionsForSdkSandbox(ProviderInfo cpi) { if (!Process.isSdkSandboxUid(Binder.getCallingUid())) { return; } final SdkSandboxManagerLocal sdkSandboxManagerLocal = LocalManagerRegistry.getManager(SdkSandboxManagerLocal.class); if (sdkSandboxManagerLocal == null) { throw new IllegalStateException("SdkSandboxManagerLocal not found " + "when checking whether SDK sandbox uid may " + "access the contentprovider."); } if (!sdkSandboxManagerLocal .canAccessContentProviderFromSdkSandbox(cpi)) { throw new SecurityException( "SDK sandbox uid may not access contentprovider " + cpi.name); } } /** /** * There are three ways to call this: * There are three ways to call this: * - no provider specified: dump all the providers * - no provider specified: dump all the providers Loading
