diff options
author | Ganesh Olekar <olekarg@google.com> | 2022-02-05 03:56:26 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2022-02-05 03:56:26 +0000 |
commit | 45312b83822666238d9b0f3bfb6eded6adb9e8a1 (patch) | |
tree | b953825b272d3096b926443f1f21d115ea17f4bc | |
parent | 6a0f27d52fa1aa8f92a20e3194e4b2930865bec6 (diff) | |
parent | f29223746d9009a592b0ee7ee5a92398589c5b53 (diff) | |
download | base-45312b83822666238d9b0f3bfb6eded6adb9e8a1.tar.gz |
Merge "Validate pid can be trusted" into sc-dev
-rw-r--r-- | core/api/test-current.txt | 1 | ||||
-rw-r--r-- | core/java/android/content/AttributionSource.java | 46 |
2 files changed, 43 insertions, 4 deletions
diff --git a/core/api/test-current.txt b/core/api/test-current.txt index ea6d0cecfd73..3c95afa9acd3 100644 --- a/core/api/test-current.txt +++ b/core/api/test-current.txt @@ -683,6 +683,7 @@ package android.content { ctor public AttributionSource(int, @Nullable String, @Nullable String); ctor public AttributionSource(int, @Nullable String, @Nullable String, @NonNull android.os.IBinder); ctor public AttributionSource(int, @Nullable String, @Nullable String, @Nullable java.util.Set<java.lang.String>, @Nullable android.content.AttributionSource); + method public void enforceCallingPid(); } public final class AutofillOptions implements android.os.Parcelable { diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index bdb7900b5bb9..2f61fee88e9f 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -154,8 +154,8 @@ public final class AttributionSource implements Parcelable { this(AttributionSourceState.CREATOR.createFromParcel(in)); // Since we just unpacked this object as part of it transiting a Binder - // call, this is the perfect time to enforce that its UID can be trusted - enforceCallingUid(); + // call, this is the perfect time to enforce that its UID and PID can be trusted + enforceCallingUidAndPid(); } /** @hide */ @@ -226,13 +226,24 @@ public final class AttributionSource implements Parcelable { } /** + * If you are handling an IPC and you don't trust the caller you need to validate whether the + * attribution source is one for the calling app to prevent the caller to pass you a source from + * another app without including themselves in the attribution chain. + * + * @throws SecurityException if the attribution source cannot be trusted to be from the caller. + */ + private void enforceCallingUidAndPid() { + enforceCallingUid(); + enforceCallingPid(); + } + + /** * If you are handling an IPC and you don't trust the caller you need to validate * whether the attribution source is one for the calling app to prevent the caller * to pass you a source from another app without including themselves in the * attribution chain. * - * @throws SecurityException if the attribution source cannot be trusted to be - * from the caller. + * @throws SecurityException if the attribution source cannot be trusted to be from the caller. */ public void enforceCallingUid() { if (!checkCallingUid()) { @@ -261,6 +272,33 @@ public final class AttributionSource implements Parcelable { return true; } + /** + * Validate that the pid being claimed for the calling app is not spoofed + * + * @throws SecurityException if the attribution source cannot be trusted to be from the caller. + * @hide + */ + @TestApi + public void enforceCallingPid() { + if (!checkCallingPid()) { + throw new SecurityException("Calling pid: " + Binder.getCallingPid() + + " doesn't match source pid: " + mAttributionSourceState.pid); + } + } + + /** + * Validate that the pid being claimed for the calling app is not spoofed + * + * @return if the attribution source cannot be trusted to be from the caller. + */ + private boolean checkCallingPid() { + final int callingPid = Binder.getCallingPid(); + if (mAttributionSourceState.pid != -1 && callingPid != mAttributionSourceState.pid) { + return false; + } + return true; + } + @Override public String toString() { if (Build.IS_DEBUGGABLE) { |