diff options
author | Ganesh Olekar <olekarg@google.com> | 2021-12-13 23:05:08 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-02-14 23:12:46 +0000 |
commit | b716ef0497811c40f4908d657d3c9f99fa23595d (patch) | |
tree | 8dd560a8158db155afaacc212cdb1173a0daad6f | |
parent | 6d64b203f16a75e98b85eff21ff9b14537a97732 (diff) | |
download | base-b716ef0497811c40f4908d657d3c9f99fa23595d.tar.gz |
Validate pid can be trusted
Bug: 200288596
Test: Manual
Test: atest android.security.cts.AttributionSourceTest#testPidCheck
Change-Id: I07f86ba220bedb1393f4d7ed23175e92d4576601
(cherry picked from commit f29223746d9009a592b0ee7ee5a92398589c5b53)
Merged-In:I07f86ba220bedb1393f4d7ed23175e92d4576601
-rw-r--r-- | core/api/test-current.txt | 1 | ||||
-rw-r--r-- | core/java/android/content/AttributionSource.java | 46 |
2 files changed, 43 insertions, 4 deletions
diff --git a/core/api/test-current.txt b/core/api/test-current.txt index 5c9da0bc97e6..ebc62f56bc95 100644 --- a/core/api/test-current.txt +++ b/core/api/test-current.txt @@ -688,6 +688,7 @@ package android.content { ctor public AttributionSource(int, @Nullable String, @Nullable String); ctor public AttributionSource(int, @Nullable String, @Nullable String, @NonNull android.os.IBinder); ctor public AttributionSource(int, @Nullable String, @Nullable String, @Nullable java.util.Set<java.lang.String>, @Nullable android.content.AttributionSource); + method public void enforceCallingPid(); } public final class AutofillOptions implements android.os.Parcelable { diff --git a/core/java/android/content/AttributionSource.java b/core/java/android/content/AttributionSource.java index bdb7900b5bb9..2f61fee88e9f 100644 --- a/core/java/android/content/AttributionSource.java +++ b/core/java/android/content/AttributionSource.java @@ -154,8 +154,8 @@ public final class AttributionSource implements Parcelable { this(AttributionSourceState.CREATOR.createFromParcel(in)); // Since we just unpacked this object as part of it transiting a Binder - // call, this is the perfect time to enforce that its UID can be trusted - enforceCallingUid(); + // call, this is the perfect time to enforce that its UID and PID can be trusted + enforceCallingUidAndPid(); } /** @hide */ @@ -226,13 +226,24 @@ public final class AttributionSource implements Parcelable { } /** + * If you are handling an IPC and you don't trust the caller you need to validate whether the + * attribution source is one for the calling app to prevent the caller to pass you a source from + * another app without including themselves in the attribution chain. + * + * @throws SecurityException if the attribution source cannot be trusted to be from the caller. + */ + private void enforceCallingUidAndPid() { + enforceCallingUid(); + enforceCallingPid(); + } + + /** * If you are handling an IPC and you don't trust the caller you need to validate * whether the attribution source is one for the calling app to prevent the caller * to pass you a source from another app without including themselves in the * attribution chain. * - * @throws SecurityException if the attribution source cannot be trusted to be - * from the caller. + * @throws SecurityException if the attribution source cannot be trusted to be from the caller. */ public void enforceCallingUid() { if (!checkCallingUid()) { @@ -261,6 +272,33 @@ public final class AttributionSource implements Parcelable { return true; } + /** + * Validate that the pid being claimed for the calling app is not spoofed + * + * @throws SecurityException if the attribution source cannot be trusted to be from the caller. + * @hide + */ + @TestApi + public void enforceCallingPid() { + if (!checkCallingPid()) { + throw new SecurityException("Calling pid: " + Binder.getCallingPid() + + " doesn't match source pid: " + mAttributionSourceState.pid); + } + } + + /** + * Validate that the pid being claimed for the calling app is not spoofed + * + * @return if the attribution source cannot be trusted to be from the caller. + */ + private boolean checkCallingPid() { + final int callingPid = Binder.getCallingPid(); + if (mAttributionSourceState.pid != -1 && callingPid != mAttributionSourceState.pid) { + return false; + } + return true; + } + @Override public String toString() { if (Build.IS_DEBUGGABLE) { |