Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f464ff68 authored by Nikita Ioffe's avatar Nikita Ioffe
Browse files

Handle the visibility of sdk sandbox uids 

Sdk sandbox processes have the following visibility rules:

1. Sdk sandbox process should be visible to itself
2. Sdk sandbox process should be visible to the corresponding client app
3. Sdk sandbox process shouldn't be visible to anything else

On top of that handle the NPE in the
ComputerEngine.shouldFilterApplication by treating null
PackageStateInternal the same way it is treated in case the calling uid
belongs to the instant app, which is to pretend that null application
exists and that it shouldn't be visible to sdk sandbox.

Bug: 236162773
Test: atest SdkSandboxInprocessTests
Change-Id: Ic2583610f55c36169f9abb35b58a0ab60884a312
parent 8e1cb658

services/core/java/com/android/server/pm/ComputerEngine.java

+17 −4
Original line number Diff line number Diff line
@@ -2726,7 +2726,7 @@ public class ComputerEngine implements Computer { 
        if (Process.isSdkSandboxUid(callingUid)) {

            int clientAppUid = Process.getAppUidForSdkSandboxUid(callingUid);

            // SDK sandbox should be able to see it's client app

            if (clientAppUid == UserHandle.getUid(userId, ps.getAppId())) {

            if (ps != null && clientAppUid == UserHandle.getUid(userId, ps.getAppId())) {

                return false;

            }

        }
@@ -2740,9 +2740,9 @@ public class ComputerEngine implements Computer { 
        // these hidden application details to customize carrier apps.

        if (ps == null || (filterUninstall && !ps.isHiddenUntilInstalled()

                && !ps.getUserStateOrDefault(userId).isInstalled())) {

            // If caller is instant app and ps is null, pretend the application exists,

            // but, needs to be filtered

            return (callerIsInstantApp || filterUninstall);

            // If caller is instant app or sdk sandbox and ps is null, pretend the application

            // exists, but, needs to be filtered

            return (callerIsInstantApp || filterUninstall || Process.isSdkSandboxUid(callingUid));

        }

        // if the target and caller are the same application, don't filter

        if (isCallerSameApp(ps.getPackageName(), callingUid)) {
@@ -3173,6 +3173,19 @@ public class ComputerEngine implements Computer { 
    }



    public boolean filterAppAccess(int uid, int callingUid) {

        if (Process.isSdkSandboxUid(uid)) {

            // Sdk sandbox instance should be able to see itself.

            if (callingUid == uid) {

                return false;

            }

            final int clientAppUid = Process.getAppUidForSdkSandboxUid(uid);

            // Client app of this sdk sandbox process should be able to see it.

            if (clientAppUid == uid) {

                return false;

            }

            // Nobody else should be able to see the sdk sandbox process.

            return true;

        }

        final int userId = UserHandle.getUserId(uid);

        final int appId = UserHandle.getAppId(uid);

        final Object setting = mSettings.getSettingBase(appId);