Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fc96733 authored by Pranav Madapurmath's avatar Pranav Madapurmath
Browse files

Resolve READ_PRIVILEGED_PHONE_STATE bypass 

Fixes a bug where the calling user id was not being passed to the default dialer cache due to the calling identity being cleared (resulting in the Telecom process being used to check what the default dialer is).

Bug: 373862149
Change-Id: Icb59debc225a1963dd0a37f2e1f025e764715e0e
Test: Manual (patch also verified by reporter)
Flag: EXEMPT bugfix
parent 67ba32d1

src/com/android/server/telecom/TelecomServiceImpl.java

+2 −1
Original line number Diff line number Diff line
@@ -3600,10 +3600,11 @@ public class TelecomServiceImpl { 
        // Note: Important to clear the calling identity since the code below calls into RoleManager

        // to check who holds the dialer role, and that requires MANAGE_ROLE_HOLDERS permission

        // which is a system permission.

        int callingUserId = Binder.getCallingUserHandle().getIdentifier();

        long token = Binder.clearCallingIdentity();

        try {

            return mDefaultDialerCache.isDefaultOrSystemDialer(

                    callingPackage, Binder.getCallingUserHandle().getIdentifier());

                    callingPackage, callingUserId);

        } finally {

            Binder.restoreCallingIdentity(token);

        }