Merge "Fix security vulnerability in getSubscriberIdForSubscriber." into sc-dev (ddf5e19d) · Commits · e / os / android_frameworks_opt_telephony

src/java/com/android/internal/telephony/PhoneSubInfoController.java

+24 −4

Original line number	Original line	Diff line number	Diff line
	@@ -23,7 +23,6 @@ import static android.Manifest.permission.READ_PRIVILEGED_PHONE_STATE;

	import android.annotation.NonNull;		import android.annotation.NonNull;
	import android.annotation.Nullable;		import android.annotation.Nullable;
	import android.app.AppOpsManager;
	import android.compat.annotation.UnsupportedAppUsage;		import android.compat.annotation.UnsupportedAppUsage;
	import android.content.Context;		import android.content.Context;
	import android.content.pm.PackageManager;		import android.content.pm.PackageManager;
	@@ -48,7 +47,7 @@ public class PhoneSubInfoController extends IPhoneSubInfo.Stub {

	@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)		@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
	private final Context mContext;		private final Context mContext;
	private final AppOpsManager mAppOps;		private PackageManager mPm;

	public PhoneSubInfoController(Context context) {		public PhoneSubInfoController(Context context) {
	ServiceRegisterer phoneSubServiceRegisterer = TelephonyFrameworkInitializer		ServiceRegisterer phoneSubServiceRegisterer = TelephonyFrameworkInitializer
	@@ -58,7 +57,7 @@ public class PhoneSubInfoController extends IPhoneSubInfo.Stub {
	phoneSubServiceRegisterer.register(this);		phoneSubServiceRegisterer.register(this);
	}		}
	mContext = context;		mContext = context;
	mAppOps = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);		mPm = mContext.getPackageManager();
	}		}

	@Deprecated		@Deprecated
	@@ -143,7 +142,10 @@ public class PhoneSubInfoController extends IPhoneSubInfo.Stub {

	public String getSubscriberIdForSubscriber(int subId, String callingPackage,		public String getSubscriberIdForSubscriber(int subId, String callingPackage,
	String callingFeatureId) {		String callingFeatureId) {
	String message = "getSubscriberId";		String message = "getSubscriberIdForSubscriber";

			enforceCallingPackage(callingPackage, Binder.getCallingUid(), message);

	long identity = Binder.clearCallingIdentity();		long identity = Binder.clearCallingIdentity();
	boolean isActive;		boolean isActive;
	try {		try {
	@@ -301,6 +303,24 @@ public class PhoneSubInfoController extends IPhoneSubInfo.Stub {
	"Requires MODIFY_PHONE_STATE");		"Requires MODIFY_PHONE_STATE");
	}		}

			/**
			* Make sure the caller is the calling package itself
			*
			* @throws SecurityException if the caller is not the calling package
			*/
			private void enforceCallingPackage(String callingPackage, int callingUid, String message) {
			int packageUid = -1;
			try {
			packageUid = mPm.getPackageUid(callingPackage, 0);
			} catch (PackageManager.NameNotFoundException e) {
			// packageUid is -1
			}
			if (packageUid != callingUid) {
			throw new SecurityException(message + ": Package " + callingPackage
			+ " does not belong to " + callingUid);
			}
			}

	@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)		@UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
	private int getDefaultSubscription() {		private int getDefaultSubscription() {
	return PhoneFactory.getDefaultSubscription();		return PhoneFactory.getDefaultSubscription();

tests/telephonytests/src/com/android/internal/telephony/PhoneSubInfoControllerTest.java

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -30,6 +30,7 @@ import android.app.AppOpsManager;
	import android.app.PropertyInvalidatedCache;		import android.app.PropertyInvalidatedCache;
	import android.content.Context;		import android.content.Context;
	import android.content.pm.PackageManager;		import android.content.pm.PackageManager;
			import android.os.Binder;
	import android.os.Build;		import android.os.Build;
	import android.test.suitebuilder.annotation.SmallTest;		import android.test.suitebuilder.annotation.SmallTest;

	@@ -44,6 +45,7 @@ public class PhoneSubInfoControllerTest extends TelephonyTest {

	private PhoneSubInfoController mPhoneSubInfoControllerUT;		private PhoneSubInfoController mPhoneSubInfoControllerUT;
	private AppOpsManager mAppOsMgr;		private AppOpsManager mAppOsMgr;
			private PackageManager mPm;

	@Mock		@Mock
	GsmCdmaPhone mSecondPhone;		GsmCdmaPhone mSecondPhone;
	@@ -69,6 +71,7 @@ public class PhoneSubInfoControllerTest extends TelephonyTest {
	doReturn(mContext).when(mSecondPhone).getContext();		doReturn(mContext).when(mSecondPhone).getContext();

	mAppOsMgr = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);		mAppOsMgr = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);
			mPm = mContext.getPackageManager();

	replaceInstance(PhoneFactory.class, "sPhones", null, new Phone[]{mPhone, mSecondPhone});		replaceInstance(PhoneFactory.class, "sPhones", null, new Phone[]{mPhone, mSecondPhone});
	mPhoneSubInfoControllerUT = new PhoneSubInfoController(mContext);		mPhoneSubInfoControllerUT = new PhoneSubInfoController(mContext);
	@@ -81,6 +84,9 @@ public class PhoneSubInfoControllerTest extends TelephonyTest {
	doReturn(AppOpsManager.MODE_ERRORED).when(mAppOsMgr).noteOpNoThrow(		doReturn(AppOpsManager.MODE_ERRORED).when(mAppOsMgr).noteOpNoThrow(
	eq(AppOpsManager.OPSTR_READ_DEVICE_IDENTIFIERS), anyInt(), eq(TAG), eq(FEATURE_ID),		eq(AppOpsManager.OPSTR_READ_DEVICE_IDENTIFIERS), anyInt(), eq(TAG), eq(FEATURE_ID),
	nullable(String.class));		nullable(String.class));

			// Bypass calling package check.
			doReturn(Binder.getCallingUid()).when(mPm).getPackageUid(eq(TAG), anyInt());
	}		}

	@After		@After