Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 52b91363 authored by Piyush Mehrotra's avatar Piyush Mehrotra
Browse files

[DO NOT MERGE] Check caller's uid in backupAgentCreated callback 

AM.backupAgentCreated() should enforce that caller belongs the package called in the API.

Bug: 289549315
Test: atest android.security.cts.ActivityManagerTest#testActivityManager_backupAgentCreated_rejectIfCallerUidNotEqualsPackageUid
Change-Id: I9f3ae5ec0b8f00e020d471cc0eddf8bd8bdbb82d
parent ba41b02d

services/core/java/com/android/server/am/ActivityManagerService.java

+21 −2
Original line number Diff line number Diff line
@@ -3280,6 +3280,22 @@ public class ActivityManagerService extends IActivityManager.Stub 
        }

    }













    /**













     * Enforces that the uid of the caller matches the uid of the package.













     *













     * @param packageName the name of the package to match uid against.













     * @param callingUid the uid of the caller.













     * @throws SecurityException if the calling uid doesn't match uid of the package.













     */













    private void enforceCallingPackage(String packageName, int callingUid) {













        final int userId = UserHandle.getUserId(callingUid);













        final int packageUid = getPackageManagerInternalLocked().getPackageUid(packageName,













                /*flags=*/ 0, userId);













        if (packageUid != callingUid) {













            throw new SecurityException(packageName + " does not belong to uid " + callingUid);













        }













    }



























    @Override















    public void setPackageScreenCompatMode(String packageName, int mode) {















        mActivityTaskManager.setPackageScreenCompatMode(packageName, mode);










@@ -15452,13 +15468,16 @@ public class ActivityManagerService extends IActivityManager.Stub













    // A backup agent has just come up















    @Override















    public void backupAgentCreated(String agentPackageName, IBinder agent, int userId) {













        final int callingUid = Binder.getCallingUid();













        enforceCallingPackage(agentPackageName, callingUid);



























        // Resolve the target user id and enforce permissions.













        userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),













        userId = mUserController.handleIncomingUser(Binder.getCallingPid(), callingUid,















                userId, /* allowAll */ false, ALLOW_FULL_ONLY, "backupAgentCreated", null);















        if (DEBUG_BACKUP) {















            Slog.v(TAG_BACKUP, "backupAgentCreated: " + agentPackageName + " = " + agent















                    + " callingUserId = " + UserHandle.getCallingUserId() + " userId = " + userId













                    + " callingUid = " + Binder.getCallingUid() + " uid = " + Process.myUid());













                    + " callingUid = " + callingUid + " uid = " + Process.myUid());















        }





























        synchronized(this) {