Validate pid can be trusted

Bug: 200288596
Test: Manual
Test: atest android.security.cts.AttributionSourceTest#testPidCheck
Change-Id: I07f86ba220bedb1393f4d7ed23175e92d4576601
(cherry picked from commit f29223746d9009a592b0ee7ee5a92398589c5b53)
Merged-In:I07f86ba220bedb1393f4d7ed23175e92d4576601

2 files changed, 43 insertions, 4 deletions

diff --git a/core/api/test-current.txt b/core/api/test-current.txt
index 5c9da0bc97e6..ebc62f56bc95 100644
--- a/core/api/test-current.txt
+++ b/core/api/test-current.txt
@@ -688,6 +688,7 @@ package android.content {
     ctor public AttributionSource(int, @Nullable String, @Nullable String);
     ctor public AttributionSource(int, @Nullable String, @Nullable String, @NonNull android.os.IBinder);
     ctor public AttributionSource(int, @Nullable String, @Nullable String, @Nullable java.util.Set<java.lang.String>, @Nullable android.content.AttributionSource);
+    method public void enforceCallingPid();
   }
 
   public final class AutofillOptions implements android.os.Parcelable {
diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java
index bdb7900b5bb9..2f61fee88e9f 100644
--- a/core/java/android/content/AttributionSource.java
+++ b/core/java/android/content/AttributionSource.java
@@ -154,8 +154,8 @@ public final class AttributionSource implements Parcelable {
         this(AttributionSourceState.CREATOR.createFromParcel(in));
 
         // Since we just unpacked this object as part of it transiting a Binder
-        // call, this is the perfect time to enforce that its UID can be trusted
-        enforceCallingUid();
+        // call, this is the perfect time to enforce that its UID and PID can be trusted
+        enforceCallingUidAndPid();
     }
 
     /** @hide */
@@ -226,13 +226,24 @@ public final class AttributionSource implements Parcelable {
     }
 
     /**
+     * If you are handling an IPC and you don't trust the caller you need to validate whether the
+     * attribution source is one for the calling app to prevent the caller to pass you a source from
+     * another app without including themselves in the attribution chain.
+     *
+     * @throws SecurityException if the attribution source cannot be trusted to be from the caller.
+     */
+    private void enforceCallingUidAndPid() {
+        enforceCallingUid();
+        enforceCallingPid();
+    }
+
+    /**
      * If you are handling an IPC and you don't trust the caller you need to validate
      * whether the attribution source is one for the calling app to prevent the caller
      * to pass you a source from another app without including themselves in the
      * attribution chain.
      *
-     * @throws SecurityException if the attribution source cannot be trusted to be
-     * from the caller.
+     * @throws SecurityException if the attribution source cannot be trusted to be from the caller.
      */
     public void enforceCallingUid() {
         if (!checkCallingUid()) {
@@ -261,6 +272,33 @@ public final class AttributionSource implements Parcelable {
         return true;
     }
 
+    /**
+     * Validate that the pid being claimed for the calling app is not spoofed
+     *
+     * @throws SecurityException if the attribution source cannot be trusted to be from the caller.
+     * @hide
+     */
+    @TestApi
+    public void enforceCallingPid() {
+        if (!checkCallingPid()) {
+            throw new SecurityException("Calling pid: " + Binder.getCallingPid()
+                    + " doesn't match source pid: " + mAttributionSourceState.pid);
+        }
+    }
+
+    /**
+     * Validate that the pid being claimed for the calling app is not spoofed
+     *
+     * @return if the attribution source cannot be trusted to be from the caller.
+     */
+    private boolean checkCallingPid() {
+        final int callingPid = Binder.getCallingPid();
+        if (mAttributionSourceState.pid != -1 && callingPid != mAttributionSourceState.pid) {
+            return false;
+        }
+        return true;
+    }
+
     @Override
     public String toString() {
         if (Build.IS_DEBUGGABLE) {