Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 971e7cc5 authored by kholoud mohamed's avatar kholoud mohamed Committed by Kholoud Mohamed
Browse files

Restrict bindServiceAsUser to same package with _ACROSS_PROFILES 

Only allow bindServiceAsUser to bind to a service with the same calling
package if caller has _ACROSS_PROFILES permission.

BUG: 136249261
Test: atest ContextCrossProfileHostTest
Change-Id: I0754258e58cab9acba1109088a22ad403bc74f2f
parent a263d01c

services/core/java/com/android/server/am/ActiveServices.java

+15 −3
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ import static com.android.server.am.ActivityManagerDebugConfig.POSTFIX_SERVICE_E 
import static com.android.server.am.ActivityManagerDebugConfig.TAG_AM;

import static com.android.server.am.ActivityManagerDebugConfig.TAG_WITH_CLASS_NAME;



import android.annotation.Nullable;

import android.app.ActivityManager;

import android.app.ActivityManagerInternal;

import android.app.ActivityThread;
@@ -2068,9 +2069,9 @@ public final class ActiveServices { 
        if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "retrieveServiceLocked: " + service

                + " type=" + resolvedType + " callingUid=" + callingUid);



        userId = mAm.mUserController.handleIncomingUser(callingPid, callingUid, userId, false,

                ActivityManagerInternal.ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE, "service",

                callingPackage);

        userId = mAm.mUserController.handleIncomingUser(callingPid, callingUid, userId,

                /* allowAll= */false, getAllowMode(service, callingPackage),

                /* name= */ "service", callingPackage);



        ServiceMap smap = getServiceMapLocked(userId);

        final ComponentName comp;
@@ -2260,6 +2261,17 @@ public final class ActiveServices { 
        return null;

    }



    private int getAllowMode(Intent service, @Nullable String callingPackage) {

        if (callingPackage == null || service.getComponent() == null) {

            return ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE;

        }

        if (callingPackage.equals(service.getComponent().getPackageName())) {

            return ActivityManagerInternal.ALLOW_ALL_PROFILE_PERMISSIONS_IN_PROFILE;

        } else {

            return ActivityManagerInternal.ALLOW_NON_FULL_IN_PROFILE;

        }

    }



    private final void bumpServiceExecutingLocked(ServiceRecord r, boolean fg, String why) {

        if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, ">>> EXECUTING "

                + why + " of " + r + " in app " + r.app);