Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 95ff0752 authored by Arc Wang's avatar Arc Wang
Browse files

Check Uri permission for FLAG_GRANT_READ/WRITE_URI_PERMISSION 

To improve security, calling app must be granted Uri permission
if it sets FLAG_GRANT_READ/WRITE_URI_PERMISSION in the Intent of
ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY.

Bug: 250589026
Test: manual
Change-Id: I48f88c662b843212b1066369badff84cf98935a8
Merged-In: I48f88c662b843212b1066369badff84cf98935a8
parent f964b68f

src/com/android/settings/homepage/SettingsHomepageActivity.java

+24 −10
Original line number Diff line number Diff line
@@ -460,7 +460,16 @@ public class SettingsHomepageActivity extends FragmentActivity implements 
            return;

        }



        if (!hasPrivilegedAccess(targetActivityInfo)) {

        int callingUid = -1;

        try {

            callingUid = ActivityManager.getService().getLaunchedFromUid(getActivityToken());

        } catch (RemoteException re) {

            Log.e(TAG, "Not able to get callingUid: " + re);

            finish();

            return;

        }



        if (!hasPrivilegedAccess(callingUid, targetActivityInfo)) {

            if (!targetActivityInfo.exported) {

                Log.e(TAG, "Target Activity is not exported");

                finish();
@@ -491,6 +500,19 @@ public class SettingsHomepageActivity extends FragmentActivity implements 
        targetIntent.setData(intent.getParcelableExtra(

                SettingsHomepageActivity.EXTRA_SETTINGS_LARGE_SCREEN_DEEP_LINK_INTENT_DATA));



        // Only allow FLAG_GRANT_READ/WRITE_URI_PERMISSION if calling app has the permission to

        // access specified Uri.

        int uriPermissionFlags = targetIntent.getFlags()

                & (Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);

        if (targetIntent.getData() != null

                && uriPermissionFlags != 0

                && checkUriPermission(targetIntent.getData(), /* pid= */ -1, callingUid,

                        uriPermissionFlags) == PackageManager.PERMISSION_DENIED) {

            Log.e(TAG, "Calling app must have the permission to access Uri and grant permission");

            finish();

            return;

        }



        // Set 2-pane pair rule for the deep link page.

        ActivityEmbeddingRulesController.registerTwoPanePairRule(this,

                new ComponentName(getApplicationContext(), getClass()),
@@ -516,20 +538,12 @@ public class SettingsHomepageActivity extends FragmentActivity implements 
    }



    // Check if calling app has privileged access to launch Activity of activityInfo.

    private boolean hasPrivilegedAccess(ActivityInfo activityInfo) {

    private boolean hasPrivilegedAccess(int callingUid, ActivityInfo activityInfo) {

        if (TextUtils.equals(PasswordUtils.getCallingAppPackageName(getActivityToken()),

                    getPackageName())) {

            return true;

        }



        int callingUid = -1;

        try {

            callingUid = ActivityManager.getService().getLaunchedFromUid(getActivityToken());

        } catch (RemoteException re) {

            Log.e(TAG, "Not able to get callingUid: " + re);

            return false;

        }



        int targetUid = -1;

        try {

            targetUid = getPackageManager().getApplicationInfo(activityInfo.packageName,