diff options
author | Svetoslav Ganov <svetoslavganov@google.com> | 2016-12-29 14:36:58 -0800 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2017-03-23 16:10:26 -0700 |
commit | 894d63476f7ea70a5c807add125765d7c82cb0e5 (patch) | |
tree | 21240bddda60ebf5287fa4e0f80474e1336ac819 | |
parent | 4f6d0200bf2f0b3dc7a93ce02bbc88030bcb6ecf (diff) | |
download | base-894d63476f7ea70a5c807add125765d7c82cb0e5.tar.gz |
[DO NOT MERGE] Don't allow permission change to runtimeandroid-7.1.1_r43android-7.1.1_r41android-7.1.1_r39
Prevent apps to change permission protection level to dangerous
from any other type as this would allow a privilege escalation
where an app adds a normal permission in other app's group and
then redefines it as dangerous leading to the group auto-grant.
Test: Added a CTS test which passes.
Bug: 33860747
Change-Id: I1ccf546f78ee79ff027cb98124be81c8e5265a82
(cherry picked from commit fe430be9f102893c95258cc81589df132b7d02b3)
-rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 5fd9c58964d0..629293de3892 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -15159,6 +15159,20 @@ public class PackageManagerService extends IPackageManager.Stub { + perm.info.name + "; ignoring new declaration"); pkg.permissions.remove(i); } + } else if (!PLATFORM_PACKAGE_NAME.equals(pkg.packageName)) { + // Prevent apps to change protection level to dangerous from any other + // type as this would allow a privilege escalation where an app adds a + // normal/signature permission in other app's group and later redefines + // it as dangerous leading to the group auto-grant. + if ((perm.info.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE) + == PermissionInfo.PROTECTION_DANGEROUS) { + if (bp != null && !bp.isRuntime()) { + Slog.w(TAG, "Package " + pkg.packageName + " trying to change a " + + "non-runtime permission " + perm.info.name + + " to runtime; keeping old protection level"); + perm.info.protectionLevel = bp.protectionLevel; + } + } } } } |