Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f533db35 authored by Yuri Lin's avatar Yuri Lin Committed by Alexandre Roux
Browse files

Check rule package name in ZenModeHelper.addAutomaticRule 

instead of checking that of the configuration activity, which is potentially spoofable. The package name is verified to be the same app as the caller by NMS.

This change removes isSystemRule (called only once) in favor of checking the provided package name directly.

Bug: 242537431
Test: ZenModeHelperTest, manual by verifying via provided exploit apk
Change-Id: Ic7f350618c26a613df455a4128c9195f4b424a4d
(cherry picked from commit 59732d62)
Merged-In: Ic7f350618c26a613df455a4128c9195f4b424a4d
parent b72eb1af

services/core/java/com/android/server/notification/ZenModeHelper.java

+1 −6
Original line number Diff line number Diff line
@@ -310,7 +310,7 @@ public class ZenModeHelper { 


    public String addAutomaticZenRule(String pkg, AutomaticZenRule automaticZenRule,

            String reason) {

        if (!isSystemRule(automaticZenRule)) {

        if (!ZenModeConfig.SYSTEM_AUTHORITY.equals(pkg)) {

            PackageItemInfo component = getServiceInfo(automaticZenRule.getOwner());

            if (component == null) {

                component = getActivityInfo(automaticZenRule.getConfigurationActivity());
@@ -566,11 +566,6 @@ public class ZenModeHelper { 
        }

    }



    private boolean isSystemRule(AutomaticZenRule rule) {

        return rule.getOwner() != null

                && ZenModeConfig.SYSTEM_AUTHORITY.equals(rule.getOwner().getPackageName());

    }



    private ServiceInfo getServiceInfo(ComponentName owner) {

        Intent queryIntent = new Intent();

        queryIntent.setComponent(owner);

services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java

+30 −0
Original line number Diff line number Diff line
@@ -1667,6 +1667,36 @@ public class ZenModeHelperTest extends UiServiceTestCase { 
        }

    }



    @Test

    public void testAddAutomaticZenRule_claimedSystemOwner() {

        // Make sure anything that claims to have a "system" owner but not actually part of the

        // system package still gets limited on number of rules

        for (int i = 0; i < RULE_LIMIT_PER_PACKAGE; i++) {

            ScheduleInfo si = new ScheduleInfo();

            si.startHour = i;

            AutomaticZenRule zenRule = new AutomaticZenRule("name" + i,

                    new ComponentName("android", "ScheduleConditionProvider" + i),

                    null, // configuration activity

                    ZenModeConfig.toScheduleConditionId(si),

                    new ZenPolicy.Builder().build(),

                    NotificationManager.INTERRUPTION_FILTER_PRIORITY, true);

            String id = mZenModeHelperSpy.addAutomaticZenRule("pkgname", zenRule, "test");

            assertNotNull(id);

        }

        try {

            AutomaticZenRule zenRule = new AutomaticZenRule("name",

                    new ComponentName("android", "ScheduleConditionProviderFinal"),

                    null, // configuration activity

                    ZenModeConfig.toScheduleConditionId(new ScheduleInfo()),

                    new ZenPolicy.Builder().build(),

                    NotificationManager.INTERRUPTION_FILTER_PRIORITY, true);

            String id = mZenModeHelperSpy.addAutomaticZenRule("pkgname", zenRule, "test");

            fail("allowed too many rules to be created");

        } catch (IllegalArgumentException e) {

            // yay

        }

    }



    @Test

    public void testAddAutomaticZenRule_CA() {

        AutomaticZenRule zenRule = new AutomaticZenRule("name",