Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ca53b27c authored by Rubin Xu's avatar Rubin Xu
Browse files

Fix uri permission grant on remote bug report uri 

System server is no longer allowed to grant uri permission directly. As a result
we use grantUriPermissionFromIntent() to grant permission from the shell UID,
who is the owner of the bug report content.

Also fix a security bug where the broadcast to notify user consent of remote
bug report mismatches the <protected-broadcast> definition, causing it to be
sendable by anyone.

Bug: 34159108
Test: manual - Install TestDPC and request bugreport, try accept and decline
      once the report is ready (Bullhead).

Merged-In: I66e3f2a16d4547549f09d3c96d52aed2330caedf
Change-Id: I66e3f2a16d4547549f09d3c96d52aed2330caedf
parent 43f79eec

core/java/android/app/admin/DevicePolicyManager.java

+2 −2
Original line number Diff line number Diff line
@@ -360,7 +360,7 @@ public class DevicePolicyManager { 
     * @hide

     */

    public static final String ACTION_BUGREPORT_SHARING_ACCEPTED =

            "com.android.server.action.BUGREPORT_SHARING_ACCEPTED";

            "com.android.server.action.REMOTE_BUGREPORT_SHARING_ACCEPTED";



    /**

     * Action: Bugreport sharing with device owner has been declined by the user.
@@ -368,7 +368,7 @@ public class DevicePolicyManager { 
     * @hide

     */

    public static final String ACTION_BUGREPORT_SHARING_DECLINED =

            "com.android.server.action.BUGREPORT_SHARING_DECLINED";

            "com.android.server.action.REMOTE_BUGREPORT_SHARING_DECLINED";



    /**

     * Action: Bugreport has been collected and is dispatched to {@link DevicePolicyManagerService}.

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+7 −2
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ import android.annotation.Nullable; 
import android.annotation.UserIdInt;

import android.app.Activity;

import android.app.ActivityManager;

import android.app.ActivityManagerInternal;

import android.app.ActivityManagerNative;

import android.app.AlarmManager;

import android.app.AppGlobals;
@@ -5516,8 +5517,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { 
                intent.setComponent(mOwners.getDeviceOwnerComponent());

                intent.setDataAndType(bugreportUri, RemoteBugreportUtils.BUGREPORT_MIMETYPE);

                intent.putExtra(DeviceAdminReceiver.EXTRA_BUGREPORT_HASH, bugreportHash);

                mContext.grantUriPermission(mOwners.getDeviceOwnerComponent().getPackageName(),

                        bugreportUri, Intent.FLAG_GRANT_READ_URI_PERMISSION);

                intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);



                LocalServices.getService(ActivityManagerInternal.class)

                        .grantUriPermissionFromIntent(Process.SHELL_UID,

                                mOwners.getDeviceOwnerComponent().getPackageName(),

                                intent, mOwners.getDeviceOwnerUserId());

                mContext.sendBroadcastAsUser(intent, UserHandle.of(mOwners.getDeviceOwnerUserId()));

            }

        } catch (FileNotFoundException e) {