Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 744a05e9 authored by Rhed Jao's avatar Rhed Jao
Browse files

Fix cross user package visibility leakage for queryInstrumentation 

Returns false for querying instrumentation APIs if the target package
does not installed in the calling user.

Also adding a user id parameter to APIs for the system modules to
specify the correct user id when querying the instrumentation.

NoNonSdkCheck: The equivalent apis are available in PackageManager.
Bug: 229684723
Test: atest CrossUserPackageVisibilityTests
Change-Id: I0798e543705cb8866231ee376e07b853b419b6f3
parent a7a7a9c1

cmds/am/src/com/android/commands/am/Instrument.java

+2 −1
Original line number Diff line number Diff line
@@ -425,7 +425,8 @@ public class Instrument { 
            if (cn == null) throw new IllegalArgumentException("Bad component name: " + cnArg);

            return cn;

        } else {

            List<InstrumentationInfo> infos = mPm.queryInstrumentation(null, 0).getList();

            List<InstrumentationInfo> infos = mPm.queryInstrumentationAsUser(

                    null, 0, userId).getList();



            final int numInfos = infos == null ? 0: infos.size();

            ArrayList<ComponentName> cns = new ArrayList<>();

core/java/android/app/ActivityThread.java

+6 −3
Original line number Diff line number Diff line
@@ -6863,9 +6863,12 @@ public final class ActivityThread extends ClientTransactionHandler 
    private InstrumentationInfo prepareInstrumentation(AppBindData data) {

        final InstrumentationInfo ii;

        try {

            ii = new ApplicationPackageManager(null, getPackageManager())

                    .getInstrumentationInfo(data.instrumentationName, 0);

        } catch (PackageManager.NameNotFoundException e) {

            ii = getPackageManager().getInstrumentationInfoAsUser(data.instrumentationName,

                    0 /* flags */, UserHandle.myUserId());

        } catch (RemoteException e) {

            throw e.rethrowFromSystemServer();

        }

        if (ii == null) {

            throw new RuntimeException(

                    "Unable to find instrumentation info for: " + data.instrumentationName);

        }

core/java/android/app/ApplicationPackageManager.java

+3 −3
Original line number Diff line number Diff line
@@ -1695,8 +1695,8 @@ public class ApplicationPackageManager extends PackageManager { 
        ComponentName className, int flags)

            throws NameNotFoundException {

        try {

            InstrumentationInfo ii = mPM.getInstrumentationInfo(

                className, flags);

            InstrumentationInfo ii = mPM.getInstrumentationInfoAsUser(

                    className, flags, getUserId());

            if (ii != null) {

                return ii;

            }
@@ -1713,7 +1713,7 @@ public class ApplicationPackageManager extends PackageManager { 
        String targetPackage, int flags) {

        try {

            ParceledListSlice<InstrumentationInfo> parceledList =

                    mPM.queryInstrumentation(targetPackage, flags);

                    mPM.queryInstrumentationAsUser(targetPackage, flags, getUserId());

            if (parceledList == null) {

                return Collections.emptyList();

            }

core/java/android/content/pm/IPackageManager.aidl

+4 −6
Original line number Diff line number Diff line
@@ -201,13 +201,11 @@ interface IPackageManager { 
    ParceledListSlice queryContentProviders(

            String processName, int uid, long flags, String metaDataKey);



    @UnsupportedAppUsage

    InstrumentationInfo getInstrumentationInfo(

            in ComponentName className, int flags);

    InstrumentationInfo getInstrumentationInfoAsUser(

            in ComponentName className, int flags, int userId);



    @UnsupportedAppUsage(maxTargetSdk = 30, trackingBug = 170729553)

    ParceledListSlice queryInstrumentation(

            String targetPackage, int flags);

    ParceledListSlice queryInstrumentationAsUser(

            String targetPackage, int flags, int userId);



    void finishPackageInstall(int token, boolean didLaunch);

services/core/java/com/android/server/am/ActivityManagerService.java

+4 −7
Original line number Diff line number Diff line
@@ -14528,6 +14528,7 @@ public class ActivityManagerService extends IActivityManager.Stub 
        if (arguments != null && arguments.hasFileDescriptors()) {

            throw new IllegalArgumentException("File descriptors passed in Bundle");

        }

        final IPackageManager pm = AppGlobals.getPackageManager();















        synchronized(this) {















            InstrumentationInfo ii = null;









@@ -14536,11 +14537,8 @@ public class ActivityManagerService extends IActivityManager.Stub













            boolean noRestart = (flags & INSTR_FLAG_NO_RESTART) != 0;





























            try {













                ii = mContext.getPackageManager().getInstrumentationInfo(













                        className, STOCK_PM_FLAGS);













                ai = AppGlobals.getPackageManager().getApplicationInfo(













                        ii.targetPackage, STOCK_PM_FLAGS, userId);













            } catch (PackageManager.NameNotFoundException e) {













                ii = pm.getInstrumentationInfoAsUser(className, STOCK_PM_FLAGS, userId);













                ai = pm.getApplicationInfo(ii.targetPackage, STOCK_PM_FLAGS, userId);















            } catch (RemoteException e) {















            }















            if (ii == null) {










@@ -14568,8 +14566,7 @@ public class ActivityManagerService extends IActivityManager.Stub



























            int match = SIGNATURE_NO_MATCH;















            try {













                match = AppGlobals.getPackageManager().checkSignatures(













                        ii.targetPackage, ii.packageName, userId);













                match = pm.checkSignatures(ii.targetPackage, ii.packageName, userId);















            } catch (RemoteException e) {















            }















            if (match < 0 && match != PackageManager.SIGNATURE_FIRST_NOT_SIGNED) {