Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f69a0da9 authored by Grace Jia's avatar Grace Jia
Browse files

Default to use mobile network to place self-managed call when the phone 

account handle is not permitted to place a call.

Currently, malicious can call TelecomManager#placeCall with a possible
package name to read information of phone account handles. Fallback to
place the self-managed call on mobile network to avoid this kind of
disclosing.

Bug: 191768014
Test: Manually test using debug app
Change-Id: Iab5301d528aa4968874390cce17eb0e5aa599072
parent 4e4bbe66

src/com/android/server/telecom/TelecomServiceImpl.java

+18 −7
Original line number Diff line number Diff line
@@ -1466,6 +1466,7 @@ public class TelecomServiceImpl { 
                enforceCallingPackage(callingPackage);



                PhoneAccountHandle phoneAccountHandle = null;

                boolean clearPhoneAccountHandleExtra = false;

                if (extras != null) {

                    phoneAccountHandle = extras.getParcelable(

                            TelecomManager.EXTRA_PHONE_ACCOUNT_HANDLE);
@@ -1477,17 +1478,24 @@ public class TelecomServiceImpl { 
                boolean isSelfManaged = phoneAccountHandle != null &&

                        isSelfManagedConnectionService(phoneAccountHandle);

                if (isSelfManaged) {

                    mContext.enforceCallingOrSelfPermission(Manifest.permission.MANAGE_OWN_CALLS,

                            "Self-managed ConnectionServices require MANAGE_OWN_CALLS permission.");

                    try {

                        mContext.enforceCallingOrSelfPermission(

                                Manifest.permission.MANAGE_OWN_CALLS,

                                "Self-managed ConnectionServices require "

                                        + "MANAGE_OWN_CALLS permission.");

                    } catch (SecurityException e) {

                        // Fallback to use mobile network to avoid disclosing phone account handle

                        // package information

                        clearPhoneAccountHandleExtra = true;

                    }



                    if (!callingPackage.equals(

                    if (!clearPhoneAccountHandleExtra && !callingPackage.equals(

                            phoneAccountHandle.getComponentName().getPackageName())

                            && !canCallPhone(callingPackage, callingFeatureId,

                            "CALL_PHONE permission required to place calls.")) {

                        // The caller is not allowed to place calls, so we want to ensure that it

                        // can only place calls through itself.

                        throw new SecurityException("Self-managed ConnectionServices can only "

                                + "place calls through their own ConnectionService.");

                        // The caller is not allowed to place calls, so fallback to use mobile

                        // network.

                        clearPhoneAccountHandleExtra = true;

                    }

                } else if (!canCallPhone(callingPackage, callingFeatureId, "placeCall")) {

                    throw new SecurityException("Package " + callingPackage
@@ -1522,6 +1530,9 @@ public class TelecomServiceImpl { 
                        final Intent intent = new Intent(hasCallPrivilegedPermission ?

                                Intent.ACTION_CALL_PRIVILEGED : Intent.ACTION_CALL, handle);

                        if (extras != null) {

                            if (clearPhoneAccountHandleExtra) {

                                extras.remove(TelecomManager.EXTRA_PHONE_ACCOUNT_HANDLE);

                            }

                            extras.setDefusable(true);

                            intent.putExtras(extras);

                        }