Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d9c5470 authored by Hui Yu's avatar Hui Yu Committed by Android Build Coastguard Worker
Browse files

Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions. 

This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.

Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java#testSpoofPackageName
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
BYPASS_INCLUSIVE_LANGUAGE_REASON=Legacy API
(cherry picked from commit 023509e4)
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
parent a2212825

services/core/java/com/android/server/am/ActiveServices.java

+28 −4
Original line number Diff line number Diff line
@@ -4983,11 +4983,18 @@ public final class ActiveServices { 
            return true;

        }





        if (verifyPackage(callingPackage, callingUid)) { 

            final boolean isWhiteListedPackage = 

                    mWhiteListAllowWhileInUsePermissionInFgs.contains(callingPackage);

            if (isWhiteListedPackage) {

                return true;

            }

        } else {

            EventLog.writeEvent(0x534e4554, "215003903", callingUid,

                    "callingPackage:" + callingPackage + " does not belong to callingUid:"

                    + callingUid);

        }



        // Is the calling UID a device owner app?

        final boolean isDeviceOwner = mAm.mInternal.isDeviceOwner(callingUid);
@@ -5025,4 +5032,21 @@ public final class ActiveServices { 
        r.mAllowWhileInUsePermissionInFgs = false;

        r.mLastSetFgsRestrictionTime = 0;

    }



    /**

     * Checks if a given packageName belongs to a given uid.

     * @param packageName the package of the caller

     * @param uid the uid of the caller

     * @return true or false

     */

    private boolean verifyPackage(String packageName, int uid) {

        if (uid == ROOT_UID || uid == SYSTEM_UID) {

            //System and Root are always allowed

            return true;

        }

        final int userId = UserHandle.getUserId(uid);

        final int packageUid = mAm.getPackageManagerInternalLocked()

                .getPackageUid(packageName, PackageManager.MATCH_DEBUG_TRIAGED_MISSING, userId);

        return UserHandle.isSameApp(uid, packageUid);

    }

}