Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ff17024e authored by Dianne Hackborn's avatar Dianne Hackborn
Browse files

Fix issue with call backs from media process. 

All but a few lines of this is for issue #16013164, which allowed
apps to do some operations as the media uid by having it call
back to them to open a file.  The problem here is with the tempory
identity stuff in the activity manager, allowing us to make the open
call as the original caller...  ideally we should figure out a way
to just get rid of all of that, but the solution here is actually
easier (even though it doesn't look it) -- we now hand a token over
to the openFile() call that it can use when doing permission checks
to say "yes I would like the check to be against whoever is responsible
for the open".  This allows us to do the uid remapping for only this
one specific set of permission checks, and nothing else.

Also fix issue #17487348: Isolated services can access system services
they shouldn't be able to.  Don't send any system service IBinder objects
down for the first initialization of an isolated process.

Change-Id: I3c70e16e0899d7eef0bae458e83958b41ed2b75e
parent 9522055f

cmds/content/src/com/android/commands/content/Content.java

+1 −1
Original line number Original line Diff line number Diff line
@@ -501,7 +501,7 @@ public class Content { 




        @Override

        @Override

        public void onExecute(IContentProvider provider) throws Exception {

        public void onExecute(IContentProvider provider) throws Exception {

            final ParcelFileDescriptor fd = provider.openFile(null, mUri, "r", null);

            final ParcelFileDescriptor fd = provider.openFile(null, mUri, "r", null, null);

            copy(new FileInputStream(fd.getFileDescriptor()), System.out);

            copy(new FileInputStream(fd.getFileDescriptor()), System.out);

        }

        }

core/java/android/app/ActivityManagerNative.java

+34 −4
Original line number Original line Diff line number Diff line
@@ -1186,6 +1186,18 @@ public abstract class ActivityManagerNative extends Binder implements IActivityM 
            return true;

            return true;

        }

        }





        case CHECK_PERMISSION_WITH_TOKEN_TRANSACTION: {

            data.enforceInterface(IActivityManager.descriptor);

            String perm = data.readString();

            int pid = data.readInt();

            int uid = data.readInt();

            IBinder token = data.readStrongBinder();

            int res = checkPermissionWithToken(perm, pid, uid, token);

            reply.writeNoException();

            reply.writeInt(res);

            return true;

        }



        case CHECK_URI_PERMISSION_TRANSACTION: {

        case CHECK_URI_PERMISSION_TRANSACTION: {

            data.enforceInterface(IActivityManager.descriptor);

            data.enforceInterface(IActivityManager.descriptor);

            Uri uri = Uri.CREATOR.createFromParcel(data);

            Uri uri = Uri.CREATOR.createFromParcel(data);
@@ -1193,7 +1205,8 @@ public abstract class ActivityManagerNative extends Binder implements IActivityM 
            int uid = data.readInt();

            int uid = data.readInt();

            int mode = data.readInt();

            int mode = data.readInt();

            int userId = data.readInt();

            int userId = data.readInt();

            int res = checkUriPermission(uri, pid, uid, mode, userId);

            IBinder callerToken = data.readStrongBinder();

            int res = checkUriPermission(uri, pid, uid, mode, userId, callerToken);

            reply.writeNoException();

            reply.writeNoException();

            reply.writeInt(res);

            reply.writeInt(res);

            return true;

            return true;
@@ -3851,6 +3864,22 @@ class ActivityManagerProxy implements IActivityManager 
        reply.recycle();

        reply.recycle();

        return res;

        return res;

    }

    }

    public int checkPermissionWithToken(String permission, int pid, int uid, IBinder callerToken)

            throws RemoteException {

        Parcel data = Parcel.obtain();

        Parcel reply = Parcel.obtain();

        data.writeInterfaceToken(IActivityManager.descriptor);

        data.writeString(permission);

        data.writeInt(pid);

        data.writeInt(uid);

        data.writeStrongBinder(callerToken);

        mRemote.transact(CHECK_PERMISSION_WITH_TOKEN_TRANSACTION, data, reply, 0);

        reply.readException();

        int res = reply.readInt();

        data.recycle();

        reply.recycle();

        return res;

    }

    public boolean clearApplicationUserData(final String packageName,

    public boolean clearApplicationUserData(final String packageName,

            final IPackageDataObserver observer, final int userId) throws RemoteException {

            final IPackageDataObserver observer, final int userId) throws RemoteException {

        Parcel data = Parcel.obtain();

        Parcel data = Parcel.obtain();
@@ -3866,8 +3895,8 @@ class ActivityManagerProxy implements IActivityManager 
        reply.recycle();

        reply.recycle();

        return res;

        return res;

    }

    }

    public int checkUriPermission(Uri uri, int pid, int uid, int mode, int userId)

    public int checkUriPermission(Uri uri, int pid, int uid, int mode, int userId,

            throws RemoteException {

            IBinder callerToken) throws RemoteException {

        Parcel data = Parcel.obtain();

        Parcel data = Parcel.obtain();

        Parcel reply = Parcel.obtain();

        Parcel reply = Parcel.obtain();

        data.writeInterfaceToken(IActivityManager.descriptor);

        data.writeInterfaceToken(IActivityManager.descriptor);
@@ -3876,6 +3905,7 @@ class ActivityManagerProxy implements IActivityManager 
        data.writeInt(uid);

        data.writeInt(uid);

        data.writeInt(mode);

        data.writeInt(mode);

        data.writeInt(userId);

        data.writeInt(userId);

        data.writeStrongBinder(callerToken);

        mRemote.transact(CHECK_URI_PERMISSION_TRANSACTION, data, reply, 0);

        mRemote.transact(CHECK_URI_PERMISSION_TRANSACTION, data, reply, 0);

        reply.readException();

        reply.readException();

        int res = reply.readInt();

        int res = reply.readInt();

core/java/android/app/ContextImpl.java

+28 −1
Original line number Original line Diff line number Diff line
@@ -1863,6 +1863,21 @@ class ContextImpl extends Context { 
        }

        }

    }

    }





    /** @hide */

    @Override

    public int checkPermission(String permission, int pid, int uid, IBinder callerToken) {

        if (permission == null) {

            throw new IllegalArgumentException("permission is null");

        }



        try {

            return ActivityManagerNative.getDefault().checkPermissionWithToken(

                    permission, pid, uid, callerToken);

        } catch (RemoteException e) {

            return PackageManager.PERMISSION_DENIED;

        }

    }



    @Override

    @Override

    public int checkCallingPermission(String permission) {

    public int checkCallingPermission(String permission) {

        if (permission == null) {

        if (permission == null) {
@@ -1951,7 +1966,19 @@ class ContextImpl extends Context { 
        try {

        try {

            return ActivityManagerNative.getDefault().checkUriPermission(

            return ActivityManagerNative.getDefault().checkUriPermission(

                    ContentProvider.getUriWithoutUserId(uri), pid, uid, modeFlags,

                    ContentProvider.getUriWithoutUserId(uri), pid, uid, modeFlags,

                    resolveUserId(uri));

                    resolveUserId(uri), null);

        } catch (RemoteException e) {

            return PackageManager.PERMISSION_DENIED;

        }

    }



    /** @hide */

    @Override

    public int checkUriPermission(Uri uri, int pid, int uid, int modeFlags, IBinder callerToken) {

        try {

            return ActivityManagerNative.getDefault().checkUriPermission(

                    ContentProvider.getUriWithoutUserId(uri), pid, uid, modeFlags,

                    resolveUserId(uri), callerToken);

        } catch (RemoteException e) {

        } catch (RemoteException e) {

            return PackageManager.PERMISSION_DENIED;

            return PackageManager.PERMISSION_DENIED;

        }

        }

core/java/android/app/IActivityManager.java

+5 −2
Original line number Original line Diff line number Diff line
@@ -219,9 +219,11 @@ public interface IActivityManager extends IInterface { 




    public int checkPermission(String permission, int pid, int uid)

    public int checkPermission(String permission, int pid, int uid)

            throws RemoteException;

            throws RemoteException;



    public int checkPermissionWithToken(String permission, int pid, int uid, IBinder callerToken)

    public int checkUriPermission(Uri uri, int pid, int uid, int mode, int userId)

            throws RemoteException;

            throws RemoteException;



    public int checkUriPermission(Uri uri, int pid, int uid, int mode, int userId,

            IBinder callerToken) throws RemoteException;

    public void grantUriPermission(IApplicationThread caller, String targetPkg, Uri uri,

    public void grantUriPermission(IApplicationThread caller, String targetPkg, Uri uri,

            int mode, int userId) throws RemoteException;

            int mode, int userId) throws RemoteException;

    public void revokeUriPermission(IApplicationThread caller, Uri uri, int mode, int userId)

    public void revokeUriPermission(IApplicationThread caller, Uri uri, int mode, int userId)
@@ -785,4 +787,5 @@ public interface IActivityManager extends IInterface { 
    int GET_TASK_DESCRIPTION_ICON_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+238;

    int GET_TASK_DESCRIPTION_ICON_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+238;

    int LAUNCH_ASSIST_INTENT_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+239;

    int LAUNCH_ASSIST_INTENT_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+239;

    int START_IN_PLACE_ANIMATION_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+240;

    int START_IN_PLACE_ANIMATION_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+240;

    int CHECK_PERMISSION_WITH_TOKEN_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+241;

}
 
}

core/java/android/content/ContentProvider.java

+43 −32
Original line number Original line Diff line number Diff line
@@ -31,6 +31,7 @@ import android.os.AsyncTask; 
import android.os.Binder;

import android.os.Binder;

import android.os.Bundle;

import android.os.Bundle;

import android.os.CancellationSignal;

import android.os.CancellationSignal;

import android.os.IBinder;

import android.os.ICancellationSignal;

import android.os.ICancellationSignal;

import android.os.OperationCanceledException;

import android.os.OperationCanceledException;

import android.os.ParcelFileDescriptor;

import android.os.ParcelFileDescriptor;
@@ -201,7 +202,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                ICancellationSignal cancellationSignal) {

                ICancellationSignal cancellationSignal) {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceReadPermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceReadPermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return rejectQuery(uri, projection, selection, selectionArgs, sortOrder,

                return rejectQuery(uri, projection, selection, selectionArgs, sortOrder,

                        CancellationSignal.fromTransport(cancellationSignal));

                        CancellationSignal.fromTransport(cancellationSignal));

            }

            }
@@ -227,7 +228,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
            validateIncomingUri(uri);

            validateIncomingUri(uri);

            int userId = getUserIdFromUri(uri);

            int userId = getUserIdFromUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceWritePermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceWritePermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return rejectInsert(uri, initialValues);

                return rejectInsert(uri, initialValues);

            }

            }

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);
@@ -242,7 +243,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
        public int bulkInsert(String callingPkg, Uri uri, ContentValues[] initialValues) {

        public int bulkInsert(String callingPkg, Uri uri, ContentValues[] initialValues) {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceWritePermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceWritePermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return 0;

                return 0;

            }

            }

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);
@@ -270,13 +271,13 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                    operations.set(i, operation);

                    operations.set(i, operation);

                }

                }

                if (operation.isReadOperation()) {

                if (operation.isReadOperation()) {

                    if (enforceReadPermission(callingPkg, uri)

                    if (enforceReadPermission(callingPkg, uri, null)

                            != AppOpsManager.MODE_ALLOWED) {

                            != AppOpsManager.MODE_ALLOWED) {

                        throw new OperationApplicationException("App op not allowed", 0);

                        throw new OperationApplicationException("App op not allowed", 0);

                    }

                    }

                }

                }

                if (operation.isWriteOperation()) {

                if (operation.isWriteOperation()) {

                    if (enforceWritePermission(callingPkg, uri)

                    if (enforceWritePermission(callingPkg, uri, null)

                            != AppOpsManager.MODE_ALLOWED) {

                            != AppOpsManager.MODE_ALLOWED) {

                        throw new OperationApplicationException("App op not allowed", 0);

                        throw new OperationApplicationException("App op not allowed", 0);

                    }

                    }
@@ -301,7 +302,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
        public int delete(String callingPkg, Uri uri, String selection, String[] selectionArgs) {

        public int delete(String callingPkg, Uri uri, String selection, String[] selectionArgs) {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceWritePermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceWritePermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return 0;

                return 0;

            }

            }

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);
@@ -317,7 +318,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                String[] selectionArgs) {

                String[] selectionArgs) {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceWritePermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceWritePermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return 0;

                return 0;

            }

            }

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);
@@ -330,11 +331,11 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 




        @Override

        @Override

        public ParcelFileDescriptor openFile(

        public ParcelFileDescriptor openFile(

                String callingPkg, Uri uri, String mode, ICancellationSignal cancellationSignal)

                String callingPkg, Uri uri, String mode, ICancellationSignal cancellationSignal,

                throws FileNotFoundException {

                IBinder callerToken) throws FileNotFoundException {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            enforceFilePermission(callingPkg, uri, mode);

            enforceFilePermission(callingPkg, uri, mode, callerToken);

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);

            try {

            try {

                return ContentProvider.this.openFile(

                return ContentProvider.this.openFile(
@@ -350,7 +351,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                throws FileNotFoundException {

                throws FileNotFoundException {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            enforceFilePermission(callingPkg, uri, mode);

            enforceFilePermission(callingPkg, uri, mode, null);

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);

            try {

            try {

                return ContentProvider.this.openAssetFile(

                return ContentProvider.this.openAssetFile(
@@ -382,7 +383,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                Bundle opts, ICancellationSignal cancellationSignal) throws FileNotFoundException {

                Bundle opts, ICancellationSignal cancellationSignal) throws FileNotFoundException {

            validateIncomingUri(uri);

            validateIncomingUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            enforceFilePermission(callingPkg, uri, "r");

            enforceFilePermission(callingPkg, uri, "r", null);

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);

            try {

            try {

                return ContentProvider.this.openTypedAssetFile(

                return ContentProvider.this.openTypedAssetFile(
@@ -402,7 +403,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
            validateIncomingUri(uri);

            validateIncomingUri(uri);

            int userId = getUserIdFromUri(uri);

            int userId = getUserIdFromUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceReadPermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceReadPermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return null;

                return null;

            }

            }

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);
@@ -418,7 +419,7 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
            validateIncomingUri(uri);

            validateIncomingUri(uri);

            int userId = getUserIdFromUri(uri);

            int userId = getUserIdFromUri(uri);

            uri = getUriWithoutUserId(uri);

            uri = getUriWithoutUserId(uri);

            if (enforceReadPermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

            if (enforceReadPermission(callingPkg, uri, null) != AppOpsManager.MODE_ALLOWED) {

                return null;

                return null;

            }

            }

            final String original = setCallingPackage(callingPkg);

            final String original = setCallingPackage(callingPkg);
@@ -429,29 +430,33 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
            }

            }

        }

        }





        private void enforceFilePermission(String callingPkg, Uri uri, String mode)

        private void enforceFilePermission(String callingPkg, Uri uri, String mode,

                throws FileNotFoundException, SecurityException {

                IBinder callerToken) throws FileNotFoundException, SecurityException {

            if (mode != null && mode.indexOf('w') != -1) {

            if (mode != null && mode.indexOf('w') != -1) {

                if (enforceWritePermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

                if (enforceWritePermission(callingPkg, uri, callerToken)

                        != AppOpsManager.MODE_ALLOWED) {

                    throw new FileNotFoundException("App op not allowed");

                    throw new FileNotFoundException("App op not allowed");

                }

                }

            } else {

            } else {

                if (enforceReadPermission(callingPkg, uri) != AppOpsManager.MODE_ALLOWED) {

                if (enforceReadPermission(callingPkg, uri, callerToken)

                        != AppOpsManager.MODE_ALLOWED) {

                    throw new FileNotFoundException("App op not allowed");

                    throw new FileNotFoundException("App op not allowed");

                }

                }

            }

            }

        }

        }





        private int enforceReadPermission(String callingPkg, Uri uri) throws SecurityException {

        private int enforceReadPermission(String callingPkg, Uri uri, IBinder callerToken)

            enforceReadPermissionInner(uri);

                throws SecurityException {

            enforceReadPermissionInner(uri, callerToken);

            if (mReadOp != AppOpsManager.OP_NONE) {

            if (mReadOp != AppOpsManager.OP_NONE) {

                return mAppOpsManager.noteOp(mReadOp, Binder.getCallingUid(), callingPkg);

                return mAppOpsManager.noteOp(mReadOp, Binder.getCallingUid(), callingPkg);

            }

            }

            return AppOpsManager.MODE_ALLOWED;

            return AppOpsManager.MODE_ALLOWED;

        }

        }





        private int enforceWritePermission(String callingPkg, Uri uri) throws SecurityException {

        private int enforceWritePermission(String callingPkg, Uri uri, IBinder callerToken)

            enforceWritePermissionInner(uri);

                throws SecurityException {

            enforceWritePermissionInner(uri, callerToken);

            if (mWriteOp != AppOpsManager.OP_NONE) {

            if (mWriteOp != AppOpsManager.OP_NONE) {

                return mAppOpsManager.noteOp(mWriteOp, Binder.getCallingUid(), callingPkg);

                return mAppOpsManager.noteOp(mWriteOp, Binder.getCallingUid(), callingPkg);

            }

            }
@@ -467,7 +472,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
    }

    }





    /** {@hide} */

    /** {@hide} */

    protected void enforceReadPermissionInner(Uri uri) throws SecurityException {

    protected void enforceReadPermissionInner(Uri uri, IBinder callerToken)

            throws SecurityException {

        final Context context = getContext();

        final Context context = getContext();

        final int pid = Binder.getCallingPid();

        final int pid = Binder.getCallingPid();

        final int uid = Binder.getCallingUid();

        final int uid = Binder.getCallingUid();
@@ -480,7 +486,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
        if (mExported && checkUser(pid, uid, context)) {

        if (mExported && checkUser(pid, uid, context)) {

            final String componentPerm = getReadPermission();

            final String componentPerm = getReadPermission();

            if (componentPerm != null) {

            if (componentPerm != null) {

                if (context.checkPermission(componentPerm, pid, uid) == PERMISSION_GRANTED) {

                if (context.checkPermission(componentPerm, pid, uid, callerToken)

                        == PERMISSION_GRANTED) {

                    return;

                    return;

                } else {

                } else {

                    missingPerm = componentPerm;

                    missingPerm = componentPerm;
@@ -497,7 +504,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                for (PathPermission pp : pps) {

                for (PathPermission pp : pps) {

                    final String pathPerm = pp.getReadPermission();

                    final String pathPerm = pp.getReadPermission();

                    if (pathPerm != null && pp.match(path)) {

                    if (pathPerm != null && pp.match(path)) {

                        if (context.checkPermission(pathPerm, pid, uid) == PERMISSION_GRANTED) {

                        if (context.checkPermission(pathPerm, pid, uid, callerToken)

                                == PERMISSION_GRANTED) {

                            return;

                            return;

                        } else {

                        } else {

                            // any denied <path-permission> means we lose

                            // any denied <path-permission> means we lose
@@ -518,8 +526,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
        final int callingUserId = UserHandle.getUserId(uid);

        final int callingUserId = UserHandle.getUserId(uid);

        final Uri userUri = (mSingleUser && !UserHandle.isSameUser(mMyUid, uid))

        final Uri userUri = (mSingleUser && !UserHandle.isSameUser(mMyUid, uid))

                ? maybeAddUserId(uri, callingUserId) : uri;

                ? maybeAddUserId(uri, callingUserId) : uri;

        if (context.checkUriPermission(userUri, pid, uid, Intent.FLAG_GRANT_READ_URI_PERMISSION)

        if (context.checkUriPermission(userUri, pid, uid, Intent.FLAG_GRANT_READ_URI_PERMISSION,

                == PERMISSION_GRANTED) {

                callerToken) == PERMISSION_GRANTED) {

            return;

            return;

        }

        }
@@ -532,7 +540,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
    }

    }





    /** {@hide} */

    /** {@hide} */

    protected void enforceWritePermissionInner(Uri uri) throws SecurityException {

    protected void enforceWritePermissionInner(Uri uri, IBinder callerToken)

            throws SecurityException {

        final Context context = getContext();

        final Context context = getContext();

        final int pid = Binder.getCallingPid();

        final int pid = Binder.getCallingPid();

        final int uid = Binder.getCallingUid();

        final int uid = Binder.getCallingUid();
@@ -545,7 +554,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
        if (mExported && checkUser(pid, uid, context)) {

        if (mExported && checkUser(pid, uid, context)) {

            final String componentPerm = getWritePermission();

            final String componentPerm = getWritePermission();

            if (componentPerm != null) {

            if (componentPerm != null) {

                if (context.checkPermission(componentPerm, pid, uid) == PERMISSION_GRANTED) {

                if (context.checkPermission(componentPerm, pid, uid, callerToken)

                        == PERMISSION_GRANTED) {

                    return;

                    return;

                } else {

                } else {

                    missingPerm = componentPerm;

                    missingPerm = componentPerm;
@@ -562,7 +572,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
                for (PathPermission pp : pps) {

                for (PathPermission pp : pps) {

                    final String pathPerm = pp.getWritePermission();

                    final String pathPerm = pp.getWritePermission();

                    if (pathPerm != null && pp.match(path)) {

                    if (pathPerm != null && pp.match(path)) {

                        if (context.checkPermission(pathPerm, pid, uid) == PERMISSION_GRANTED) {

                        if (context.checkPermission(pathPerm, pid, uid, callerToken)

                                == PERMISSION_GRANTED) {

                            return;

                            return;

                        } else {

                        } else {

                            // any denied <path-permission> means we lose

                            // any denied <path-permission> means we lose
@@ -580,8 +591,8 @@ public abstract class ContentProvider implements ComponentCallbacks2 { 
        }

        }





        // last chance, check against any uri grants

        // last chance, check against any uri grants

        if (context.checkUriPermission(uri, pid, uid, Intent.FLAG_GRANT_WRITE_URI_PERMISSION)

        if (context.checkUriPermission(uri, pid, uid, Intent.FLAG_GRANT_WRITE_URI_PERMISSION,

                == PERMISSION_GRANTED) {

                callerToken) == PERMISSION_GRANTED) {

            return;

            return;

        }

        }