Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 863d396f authored by Iván Budnik's avatar Iván Budnik
Browse files

Enforce MediaButtonReceiver ComponentName belongs to app 

Adds check that enforces ComponentName's package belongs to calling app.
This avoids privileged execution of arbitrary code through media button
events.

This is a partial revert revert of ag/19338169.

Bug: 238177121
Test: atest CtsMediaBetterTogetherTestCases
Change-Id: I4aba866a9758366175ea4af0d434729ad98fa48d
(cherry picked from commit 1b2fa248)
Merged-In: I4aba866a9758366175ea4af0d434729ad98fa48d
parent 967cdc55

services/core/java/com/android/server/media/MediaSessionRecord.java

+9 −0
Original line number Diff line number Diff line
@@ -53,6 +53,7 @@ import android.os.RemoteException; 
import android.os.ResultReceiver;

import android.os.SystemClock;

import android.text.TextUtils;

import android.util.EventLog;

import android.util.Log;

import android.view.KeyEvent;
@@ -952,6 +953,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 
        public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {

            final long token = Binder.clearCallingIdentity();

            try {

                //mPackageName has been verified in MediaSessionService.enforcePackageName().

                if (receiver != null && !TextUtils.equals(

                        mPackageName, receiver.getPackageName())) {

                    EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging.

                    throw new IllegalArgumentException("receiver does not belong to "

                            + "package name provided to MediaSessionRecord. Pkg = " + mPackageName

                            + ", Receiver Pkg = " + receiver.getPackageName());

                }

                if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)

                        != 0) {

                    return;