Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6953052d authored by Manjeet Rulhania's avatar Manjeet Rulhania Committed by Android (Google) Code Review
Browse files

Merge "Fix duplicate permission privilege escalation" into tm-dev

parents dc65d350 a19e17e3

services/core/java/com/android/server/pm/pkg/component/ParsedPermissionUtils.java

+28 −6
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ import android.content.res.Resources; 
import android.content.res.TypedArray;

import android.content.res.XmlResourceParser;

import android.util.ArrayMap;

import android.util.EventLog;

import android.util.Slog;



import com.android.internal.R;
@@ -36,6 +37,7 @@ import org.xmlpull.v1.XmlPullParserException; 


import java.io.IOException;

import java.util.List;

import java.util.Objects;



/**

 * @hide
@@ -277,8 +279,28 @@ public class ParsedPermissionUtils { 
    }



    /**

     * @return {@code true} if the package declares duplicate permissions with different

     * protection levels.

     * Determines if a duplicate permission is malformed .i.e. defines different protection level

     * or group.

     */

    private static boolean isMalformedDuplicate(ParsedPermission p1, ParsedPermission p2) {

        // Since a permission tree is also added as a permission with normal protection

        // level, we need to skip if the parsedPermission is a permission tree.

        if (p1 == null || p2 == null || p1.isTree() || p2.isTree()) {

            return false;

        }



        if (p1.getProtectionLevel() != p2.getProtectionLevel()) {

            return true;

        }

        if (!Objects.equals(p1.getGroup(), p2.getGroup())) {

            return true;

        }



        return false;

    }



    /**

     * @return {@code true} if the package declares malformed duplicate permissions.

     */

    public static boolean declareDuplicatePermission(@NonNull ParsingPackage pkg) {

        final List<ParsedPermission> permissions = pkg.getPermissions();
@@ -289,10 +311,10 @@ public class ParsedPermissionUtils { 
                final ParsedPermission parsedPermission = permissions.get(i);

                final String name = parsedPermission.getName();

                final ParsedPermission perm = checkDuplicatePerm.get(name);

                // Since a permission tree is also added as a permission with normal protection

                // level, we need to skip if the parsedPermission is a permission tree.

                if (perm != null && !(perm.isTree() || parsedPermission.isTree())

                        && perm.getProtectionLevel() != parsedPermission.getProtectionLevel()) {

                if (isMalformedDuplicate(parsedPermission, perm)) {

                    // Fix for b/213323615

                    EventLog.writeEvent(0x534e4554, "213323615",

                            "The package " + pkg.getPackageName() + " seems malicious");

                    return true;

                }

                checkDuplicatePerm.put(name, parsedPermission);

services/core/java/com/android/server/pm/pkg/parsing/ParsingPackageUtils.java

+1 −1
Original line number Diff line number Diff line
@@ -968,7 +968,7 @@ public class ParsingPackageUtils { 
        if (ParsedPermissionUtils.declareDuplicatePermission(pkg)) {

            return input.error(

                    INSTALL_PARSE_FAILED_MANIFEST_MALFORMED,

                    "Declare duplicate permissions with different protection levels."

                    "Found duplicate permission with a different attribute value."

            );

        }