Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ff8d66bb authored by Svetoslav Ganov's avatar Svetoslav Ganov
Browse files

Don't allow permission change to runtime 

Prevent apps to change permission protection level to dangerous
from any other type as this would allow a privilege escalation
where an app adds a normal permission in other app's group and
then redefines it as dangerous leading to the group auto-grant.

Test: Added a CTS test which passes.

bug:33860747

Change-Id: Icd2d596d42ae2c6cf569c016d20d9bb9106a29ef
parent 17f739d9

services/core/java/com/android/server/pm/PackageManagerService.java

+14 −0
Original line number Diff line number Diff line
@@ -15689,6 +15689,20 @@ public class PackageManagerService extends IPackageManager.Stub { 
                                    + perm.info.name + "; ignoring new declaration");

                            pkg.permissions.remove(i);

                        }

                    } else if (!PLATFORM_PACKAGE_NAME.equals(pkg.packageName)) {

                        // Prevent apps to change protection level to dangerous from any other

                        // type as this would allow a privilege escalation where an app adds a

                        // normal/signature permission in other app's group and later redefines

                        // it as dangerous leading to the group auto-grant.

                        if ((perm.info.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)

                                == PermissionInfo.PROTECTION_DANGEROUS) {

                            if (bp != null && !bp.isRuntime()) {

                                Slog.w(TAG, "Package " + pkg.packageName + " trying to change a "

                                        + "non-runtime permission " + perm.info.name

                                        + " to runtime; keeping old protection level");

                                perm.info.protectionLevel = bp.protectionLevel;

                            }

                        }

                    }

                }

            }