Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 646dde0a authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

No direct Uri grants from system. 

The system should never be extending Uri permission grants from
itself, since it automatically holds all the permissions.  Instead,
the system should always be a mediator between two specific apps, and
it should be using startActivityAsCaller() if it needs to extend
permissions.

Blocking at this level fixes an entire class of confused deputy
security issues.

There is a small exemption for the "com.android.settings.files"
authority which is used for photo cropping in the Settings app.

Test: builds, normal intent resolution UI works
Bug: 33019296, 35158271
Change-Id: I3f0de58facedab8767541291b5dfa022fa2e4414
parent a5af24cd

services/core/java/com/android/server/am/ActivityManagerService.java

+15 −7
Original line number Diff line number Diff line
@@ -8528,7 +8528,16 @@ public class ActivityManagerService extends IActivityManager.Stub 














        // Third...  does the caller itself have permission to access















        // this uri?













        if (UserHandle.getAppId(callingUid) != Process.SYSTEM_UID) {













        final int callingAppId = UserHandle.getAppId(callingUid);













        if ((callingAppId == Process.SYSTEM_UID) || (callingAppId == Process.ROOT_UID)) {













            if ("com.android.settings.files".equals(grantUri.uri.getAuthority())) {













                // Exempted authority for cropping user photos in Settings app













            } else {













                Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission"













                        + " grant to " + grantUri + "; use startActivityAsCaller() instead");













                return -1;













            }













        }















        if (!checkHoldingPermissionsLocked(pm, pi, grantUri, callingUid, modeFlags)) {















            // Require they hold a strong enough Uri permission















            if (!checkUriPermissionLocked(grantUri, callingUid, modeFlags)) {









@@ -8536,7 +8545,6 @@ public class ActivityManagerService extends IActivityManager.Stub













                        + " does not have permission to uri " + grantUri);















            }















        }













        }















        return targetUid;















    }