Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5ac50a8f authored by Martijn Coenen's avatar Martijn Coenen Committed by Android (Google) Code Review
Browse files

Merge "Deny supplemental processes access to blob store."

parents c18c3b05 fcd87716

apex/blobstore/service/java/com/android/server/blob/BlobStoreManagerService.java

+10 −10
Original line number Diff line number Diff line
@@ -1376,6 +1376,11 @@ public class BlobStoreManagerService extends SystemService { 
        }

    }



    private boolean isAllowedBlobAccess(int uid, String packageName) {

        return (!Process.isSupplemental(uid) && !Process.isIsolated(uid)

                && !mPackageManagerInternal.isInstantApp(packageName, UserHandle.getUserId(uid)));

    }



    private class PackageChangedReceiver extends BroadcastReceiver {

        @Override

        public void onReceive(Context context, Intent intent) {
@@ -1437,8 +1442,7 @@ public class BlobStoreManagerService extends SystemService { 
            final int callingUid = Binder.getCallingUid();

            verifyCallingPackage(callingUid, packageName);



            if (Process.isIsolated(callingUid) || mPackageManagerInternal.isInstantApp(

                    packageName, UserHandle.getUserId(callingUid))) {

            if (!isAllowedBlobAccess(callingUid, packageName)) {

                throw new SecurityException("Caller not allowed to create session; "

                        + "callingUid=" + callingUid + ", callingPackage=" + packageName);

            }
@@ -1487,8 +1491,7 @@ public class BlobStoreManagerService extends SystemService { 
            final int callingUid = Binder.getCallingUid();

            verifyCallingPackage(callingUid, packageName);



            if (Process.isIsolated(callingUid) || mPackageManagerInternal.isInstantApp(

                    packageName, UserHandle.getUserId(callingUid))) {

            if (!isAllowedBlobAccess(callingUid, packageName)) {

                throw new SecurityException("Caller not allowed to open blob; "

                        + "callingUid=" + callingUid + ", callingPackage=" + packageName);

            }
@@ -1519,8 +1522,7 @@ public class BlobStoreManagerService extends SystemService { 
            final int callingUid = Binder.getCallingUid();

            verifyCallingPackage(callingUid, packageName);



            if (Process.isIsolated(callingUid) || mPackageManagerInternal.isInstantApp(

                    packageName, UserHandle.getUserId(callingUid))) {

            if (!isAllowedBlobAccess(callingUid, packageName)) {

                throw new SecurityException("Caller not allowed to open blob; "

                        + "callingUid=" + callingUid + ", callingPackage=" + packageName);

            }
@@ -1544,8 +1546,7 @@ public class BlobStoreManagerService extends SystemService { 
            final int callingUid = Binder.getCallingUid();

            verifyCallingPackage(callingUid, packageName);



            if (Process.isIsolated(callingUid) || mPackageManagerInternal.isInstantApp(

                    packageName, UserHandle.getUserId(callingUid))) {

            if (!isAllowedBlobAccess(callingUid, packageName)) {

                throw new SecurityException("Caller not allowed to open blob; "

                        + "callingUid=" + callingUid + ", callingPackage=" + packageName);

            }
@@ -1628,8 +1629,7 @@ public class BlobStoreManagerService extends SystemService { 
            final int callingUid = Binder.getCallingUid();

            verifyCallingPackage(callingUid, packageName);



            if (Process.isIsolated(callingUid) || mPackageManagerInternal.isInstantApp(

                    packageName, UserHandle.getUserId(callingUid))) {

            if (!isAllowedBlobAccess(callingUid, packageName)) {

                throw new SecurityException("Caller not allowed to open blob; "

                        + "callingUid=" + callingUid + ", callingPackage=" + packageName);

            }