Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ff418d9 authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Grant MMS Uri permissions as the calling UID. 

A recent security fix prevents the system UID from handing out Uri
permission grants directly from itself.  Instead, services need to
issue grants as the original calling UID to ensure that the caller
actually has access to the Uris.

Test: builds, boots, send/recv MMS works in primary/secondary users
Bug: 33231106
Change-Id: Ia9fe19843b52977c8a94ee5349b907beda1882fc
parent 589f3099

core/java/android/app/ActivityManagerInternal.java

+7 −0
Original line number Diff line number Diff line
@@ -61,6 +61,13 @@ public abstract class ActivityManagerInternal { 
     */

    public static final int APP_TRANSITION_TIMEOUT = 3;



    /**

     * Grant Uri permissions from one app to another. This method only extends

     * permission grants if {@code callingUid} has permission to them.

     */

    public abstract void grantUriPermissionFromIntent(int callingUid, String targetPkg,

            Intent intent, int targetUserId);



    /**

     * Verify that calling app has access to the given provider.

     */

services/core/java/com/android/server/MmsServiceBroker.java

+13 −2
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 
package com.android.server;



import android.Manifest;

import android.app.ActivityManagerInternal;

import android.app.AppOpsManager;

import android.app.PendingIntent;

import android.content.ComponentName;
@@ -499,13 +500,21 @@ public class MmsServiceBroker extends SystemService { 
         */

        private Uri adjustUriForUserAndGrantPermission(Uri contentUri, String action,

                int permission) {

            final Intent grantIntent = new Intent();

            grantIntent.setData(contentUri);

            grantIntent.setFlags(permission);



            final int callingUid = Binder.getCallingUid();

            final int callingUserId = UserHandle.getCallingUserId();

            if (callingUserId != UserHandle.USER_SYSTEM) {

                contentUri = ContentProvider.maybeAddUserId(contentUri, callingUserId);

            }



            long token = Binder.clearCallingIdentity();

            try {

                mContext.grantUriPermission(PHONE_PACKAGE_NAME, contentUri, permission);

                LocalServices.getService(ActivityManagerInternal.class)

                        .grantUriPermissionFromIntent(callingUid, PHONE_PACKAGE_NAME,

                                grantIntent, UserHandle.USER_SYSTEM);



                // Grant permission for the carrier app.

                Intent intent = new Intent(action);
@@ -514,7 +523,9 @@ public class MmsServiceBroker extends SystemService { 
                List<String> carrierPackages = telephonyManager.getCarrierPackageNamesForIntent(

                        intent);

                if (carrierPackages != null && carrierPackages.size() == 1) {

                    mContext.grantUriPermission(carrierPackages.get(0), contentUri, permission);

                    LocalServices.getService(ActivityManagerInternal.class)

                            .grantUriPermissionFromIntent(callingUid, carrierPackages.get(0),

                                    grantIntent, UserHandle.USER_SYSTEM);

                }

            } finally {

                Binder.restoreCallingIdentity(token);

services/core/java/com/android/server/am/ActivityManagerService.java

+9 −0
Original line number Diff line number Diff line
@@ -22128,6 +22128,15 @@ public class ActivityManagerService extends IActivityManager.Stub 
    }















    private final class LocalService extends ActivityManagerInternal {













        @Override













        public void grantUriPermissionFromIntent(int callingUid, String targetPkg, Intent intent,













                int targetUserId) {













            synchronized (ActivityManagerService.this) {













                ActivityManagerService.this.grantUriPermissionFromIntentLocked(callingUid,













                        targetPkg, intent, null, targetUserId);













            }













        }



























        @Override















        public String checkContentProviderAccess(String authority, int userId) {















            return ActivityManagerService.this.checkContentProviderAccess(authority, userId);