Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment
In onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. We should not allow the restrictionsIntent to startActivity simply because it resolves to multiple activities. Instead, we should call resolveActivity and check the result's package name is same as current package name, then it is safe to startActivity. Bug: 200688991 Test: manual verify Change-Id: Iaa2d3a9497c3266babe0789961befc9776a4db7a Merged-In: Iaa2d3a9497c3266babe0789961befc9776a4db7a (cherry picked from commit 359512cd)
Loading
Please register or sign in to comment
