Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7fa1b4d0 authored by Hui Yu's avatar Hui Yu
Browse files

Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions. 

This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.

Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerSpoofTest.java
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
parent f372925a

services/core/java/com/android/server/am/ActiveServices.java

+16 −1
Original line number Diff line number Diff line
@@ -6475,7 +6475,7 @@ public final class ActiveServices { 
            }

        }



        if (ret == REASON_DENIED) {

        if (ret == REASON_DENIED && verifyPackage(callingPackage, callingUid)) {

            final boolean isAllowedPackage =

                    mAllowListWhileInUsePermissionInFgs.contains(callingPackage);

            if (isAllowedPackage) {
@@ -6883,4 +6883,19 @@ public final class ActiveServices { 
                /* allowBackgroundActivityStarts */ false)

                != REASON_DENIED;

    }



    /**

     * Checks if a given packageName belongs to a given uid.

     * @param packageName the package of the caller

     * @param uid the uid of the caller

     * @return true or false

     */

    private boolean verifyPackage(String packageName, int uid) {

        if (uid == ROOT_UID || uid == SYSTEM_UID) {

            //System and Root are always allowed

            return true;

        }

        return mAm.getPackageManagerInternal().isSameApp(packageName, uid,

                UserHandle.getUserId(uid));

    }

}