RESTRICT AUTOMERGEandroid-8.0.0_r48

Prevent accessing companion records from arbitrary uids

Test: manual
Fixes: 129476618
Change-Id: I7b18cfcdf58e62a445cbb508116c6ce7c1cea8d7
(cherry picked from commit 98f45443e1cf397ab92b4cecd9200c2dcccf099b)

2 files changed, 10 insertions, 0 deletions

diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
index b2a736304ed0..c116a0aeb732 100644
--- a/core/res/AndroidManifest.xml
+++ b/core/res/AndroidManifest.xml
@@ -2725,6 +2725,11 @@
     <permission android:name="android.permission.OBSERVE_GRANT_REVOKE_PERMISSIONS"
         android:protectionLevel="signature|privileged" />
 
+    <!-- Allows an application to manage the companion devices.
+         @hide -->
+    <permission android:name="android.permission.MANAGE_COMPANION_DEVICES"
+                android:protectionLevel="signature" />
+
     <!-- @SystemApi Allows an application to use SurfaceFlinger's low level features.
          <p>Not for use by third-party applications.
          @hide
diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
index f47b0d3c6e73..b3bad57f1300 100644
--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
@@ -623,6 +623,11 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
                 + "associate USER_ID PACKAGE MAC_ADDRESS\n"
                 + "disassociate USER_ID PACKAGE MAC_ADDRESS";
 
+        ShellCmd() {
+            getContext().enforceCallingOrSelfPermission(
+                    android.Manifest.permission.MANAGE_COMPANION_DEVICES, "ShellCmd");
+        }
+
         @Override
         public int onCommand(String cmd) {
             switch (cmd) {