Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1221ede9 authored by Shuo Qian's avatar Shuo Qian
Browse files

Add package checking with Uid in EuiccController#getEid 

EuiccController does not validate the calling package name
(i.e. to ensure that it is owned by the calling UID). It is
therefore possible for an app to effectively gain carrier
 privileges in the call to EuiccController#getEid by
passing the package name of another app that does has carrier
 privileges to one or more subscriptions.

Test: safe net log
Bug: 159062405
Change-Id: I0bf7c8b267a0c9cd877328c4ff3169950e1ff64f
parent 23010130

src/java/com/android/internal/telephony/euicc/EuiccController.java

+7 −0
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ import android.telephony.euicc.EuiccInfo; 
import android.telephony.euicc.EuiccManager;

import android.telephony.euicc.EuiccManager.OtaStatus;

import android.text.TextUtils;

import android.util.EventLog;

import android.util.Log;



import com.android.internal.annotations.VisibleForTesting;
@@ -174,6 +175,12 @@ public class EuiccController extends IEuiccController.Stub { 
    @Override

    public String getEid(int cardId, String callingPackage) {

        boolean callerCanReadPhoneStatePrivileged = callerCanReadPhoneStatePrivileged();

        try {

            mAppOpsManager.checkPackage(Binder.getCallingUid(), callingPackage);

        } catch (SecurityException e) {

            EventLog.writeEvent(0x534e4554, "159062405", -1, "Missing UID checking");

            throw e;

        }

        long token = Binder.clearCallingIdentity();

        try {

            if (!callerCanReadPhoneStatePrivileged