Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 76db1db5 authored by Songchun Fan's avatar Songchun Fan Committed by Song Chun Fan
Browse files

[SettingsProvider] workaround for DevicePolicyResourcesManager 

DevicePolicyResourcesManager.getString() was added in T and called in
many places inside system server. However, it uses
DeviceConfig.getBoolean to determine if a feature is enabled or not. In
the places where it is called from inside system server,
`clearCallingIdentity` was not always called, which can result in
DeviceConfig.getBoolean throwing SecurityException due to mismatched
AttributionSource (calling uid is the caller from the binder client,
while the context is "android" which should have calling uid 0). Context
is "android" because it is inside the system server where the
DevicePolicyManager instance is created. This bug might lead to
unexpected behavior such as packages failing to be uninstalled by admin.

The easiest fix is to place a bypass in SettingsProvider and manually clear
the calling uid there. This fix also allows for the cleanest backporting as
it can be cherry-picked into T without touching all the places where
DevicePolicyResourcesManager.getString() is called in the system server.

BUG: 252663068
Test: manual
Merged-In: I37a6ceb29575593018b93093562c85d49770a43c
Change-Id: I37a6ceb29575593018b93093562c85d49770a43c
(cherry picked from commit b127850f)
parent 2be2258f

core/java/android/provider/Settings.java

+20 −3
Original line number Diff line number Diff line
@@ -3344,9 +3344,26 @@ public final class Settings { 
                    }

                }













                Bundle b;













                // b/252663068: if we're in system server and the caller did not call













                // clearCallingIdentity, the read would fail due to mismatched AttributionSources.













                // TODO(b/256013480): remove this bypass after fixing the callers in system server.













                if (namespace.equals(DeviceConfig.NAMESPACE_DEVICE_POLICY_MANAGER)













                        && Settings.isInSystemServer()













                        && Binder.getCallingUid() != Process.myUid()) {













                    final long token = Binder.clearCallingIdentity();













                    try {













                        // Fetch all flags for the namespace at once for caching purposes













                        b = cp.call(cr.getAttributionSource(),













                                mProviderHolder.mUri.getAuthority(), mCallListCommand, null, args);













                    } finally {













                        Binder.restoreCallingIdentity(token);













                    }













                } else {















                    // Fetch all flags for the namespace at once for caching purposes













                Bundle b = cp.call(cr.getAttributionSource(),













                    b = cp.call(cr.getAttributionSource(),















                            mProviderHolder.mUri.getAuthority(), mCallListCommand, null, args);













                }















                if (b == null) {















                    // Invalid response, return an empty map















                    return keyValues;