Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 985e566c authored by Svetoslav's avatar Svetoslav Committed by Svetoslav Ganov
Browse files

Fix cross-user talk. 

An app can access widgets hosted or provided by its uid and package.
Access is also allowed if the caller has the bind app widgets permission
but this caller can be in the wrong user. Now the caller should not
only have the bind app widget permission but also be in the same user
as the host or the provider of the widget.

bug:16834230

Change-Id: I5ddb6309f63f2b4ba95360446c2b9584350fb66f
parent 14b7c54e

core/java/android/widget/AdapterViewFlipper.java

+11 −1
Original line number Diff line number Diff line
@@ -105,7 +105,17 @@ public class AdapterViewFlipper extends AdapterViewAnimator { 
        final IntentFilter filter = new IntentFilter();

        filter.addAction(Intent.ACTION_SCREEN_OFF);

        filter.addAction(Intent.ACTION_USER_PRESENT);

        getContext().registerReceiver(mReceiver, filter);



        // OK, this is gross but needed. This class is supported by the

        // remote views machanism and as a part of that the remote views

        // can be inflated by a context for another user without the app

        // having interact users permission - just for loading resources.

        // For exmaple, when adding widgets from a user profile to the

        // home screen. Therefore, we register the receiver as the current

        // user not the one the context is for.

        getContext().registerReceiverAsUser(mReceiver, android.os.Process.myUserHandle(),

                filter, null, mHandler);





        if (mAutoStart) {

            // Automatically start when requested

services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java

+7 −10
Original line number Diff line number Diff line
@@ -3125,9 +3125,13 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku 
                // Apps hosting the AppWidget get to bind to a remote view service in the provider.

                return true;

            }

            if (mContext.checkCallingPermission(android.Manifest.permission.BIND_APPWIDGET)

            final int userId = UserHandle.getUserId(uid);

            if ((widget.host.getUserId() == userId || (widget.provider != null

                    && widget.provider.getUserId() == userId))

                && mContext.checkCallingPermission(android.Manifest.permission.BIND_APPWIDGET)

                    == PackageManager.PERMISSION_GRANTED) {

                // Apps that can bind have access to all appWidgetIds.

                // Apps that run in the same user as either the host or the provider and

                // have the bind widget permission have access to the widget.

                return true;

            }

            return false;
@@ -3187,14 +3191,7 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku 
        }



        public boolean isHostInPackageForUid(Host host, int uid, String packageName) {

            if (UserHandle.getAppId(uid) == Process.myUid()) {

                // For a host that's in the system process, ignore the user id.

                return UserHandle.isSameApp(host.id.uid, uid)

                        && host.id.packageName.equals(packageName);

            } else {

                return host.id.uid == uid

                        && host.id.packageName.equals(packageName);

            }

            return host.id.uid == uid && host.id.packageName.equals(packageName);

        }



        public boolean isProviderInPackageForUid(Provider provider, int uid,