Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c05f30b4 authored by Songchun Fan's avatar Songchun Fan
Browse files

bypass INTERACT_ACROSS_USERS permission check when binding to singleton service for non-0 userId 

BUG: 157822484
Test: manual
Change-Id: Iaf18a009cd7326e7a2f964a9813b11a9365f6ba3
parent 89f29261

services/core/java/com/android/server/am/ActiveServices.java

+15 −9
Original line number Diff line number Diff line
@@ -2460,6 +2460,9 @@ public final class ActiveServices { 
                            && mAm.isValidSingletonCall(callingUid, sInfo.applicationInfo.uid)) {

                        userId = 0;

                        smap = getServiceMapLocked(0);

                        // Bypass INTERACT_ACROSS_USERS permission check

                        final long token = Binder.clearCallingIdentity();

                        try {

                            ResolveInfo rInfoForUserId0 =

                                    mAm.getPackageManagerInternalLocked().resolveService(service,

                                            resolvedType, flags, userId, callingUid);
@@ -2470,6 +2473,9 @@ public final class ActiveServices { 
                                return null;

                            }

                            sInfo = rInfoForUserId0.serviceInfo;

                        } finally {

                            Binder.restoreCallingIdentity(token);

                        }

                    }

                    sInfo = new ServiceInfo(sInfo);

                    sInfo.applicationInfo = mAm.getAppInfoForUser(sInfo.applicationInfo, userId);