Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef878077 authored by tonihei's avatar tonihei
Browse files

Do not propagate WIU/BFSL for MediaController.sendCommand 

This call is just for exchanging technical information and
shouldn't be used to grant another app permission to start a
foreground service or gain while-in-use permissions.

Test: Manually verified exploit in b/339637822 is no longer possible
Bug: 339637822
Flag: com.android.media.mediasession.flags.remove_wiu_allowlisting_from_mediacontroller_sendcommand
Change-Id: I548a8178a93d9bf0691aa84113147ac86c1ef0a2
parent 58510fe4

services/core/java/com/android/server/media/MediaSessionRecord.java

+7 −3
Original line number Diff line number Diff line
@@ -22,6 +22,8 @@ import static android.media.VolumeProvider.VOLUME_CONTROL_RELATIVE; 
import static android.media.session.MediaController.PlaybackInfo.PLAYBACK_TYPE_LOCAL;

import static android.media.session.MediaController.PlaybackInfo.PLAYBACK_TYPE_REMOTE;



import static com.android.media.mediasession.flags.Flags.removeWiuAllowlistingFromMediacontrollerSendcommand;



import android.Manifest;

import android.annotation.IntDef;

import android.annotation.NonNull;
@@ -1479,9 +1481,11 @@ public class MediaSessionRecord extends MediaSessionRecordImpl implements IBinde 
        public void sendCommand(String packageName, int pid, int uid, String command, Bundle args,

                ResultReceiver cb) {

            try {

                if (!removeWiuAllowlistingFromMediacontrollerSendcommand()) {

                    final String reason = TAG + ":" + command;

                mService.tempAllowlistTargetPkgIfPossible(getUid(), getPackageName(),

                        pid, uid, packageName, reason);

                    mService.tempAllowlistTargetPkgIfPossible(

                            getUid(), getPackageName(), pid, uid, packageName, reason);

                }

                mCb.onCommand(packageName, pid, uid, command, args, cb);

            } catch (RemoteException e) {

                Slog.e(TAG, "Remote failure in sendCommand.", e);