[DO NOT MERGE] Don't allow permission change to runtimeandroid-7.1.1_r42 android-7.1.1_r40

Prevent apps to change permission protection level to dangerous from any other type as this would allow a privilege escalation where an app adds a normal permission in other app's group and then redefines it as dangerous leading to the group auto-grant. Test: Added a CTS test which passes. Bug: 33860747 Change-Id: I1ccf546f78ee79ff027cb98124be81c8e5265a82 (cherry picked from commit fe430be9f102893c95258cc81589df132b7d02b3)
author: Svetoslav Ganov <svetoslavganov@google.com> 2016-12-29 14:36:58 -0800
committer: gitbuildkicker <android-build@google.com> 2017-03-23 10:57:25 -0700
commit: 5e6dc55c12fac2ec037c85706f7c17059a28099e (patch)
tree: e4a12858045eba410c1f02290b749238f79a9b4e
parent: dbce71357e908e88547661978784e71af51f1ead (diff)
download: base-5e6dc55c12fac2ec037c85706f7c17059a28099e.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 5fd9c58964d0..629293de3892 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -15159,6 +15159,20 @@ public class PackageManagerService extends IPackageManager.Stub {
                                     + perm.info.name + "; ignoring new declaration");
                             pkg.permissions.remove(i);
                         }
+                    } else if (!PLATFORM_PACKAGE_NAME.equals(pkg.packageName)) {
+                        // Prevent apps to change protection level to dangerous from any other
+                        // type as this would allow a privilege escalation where an app adds a
+                        // normal/signature permission in other app's group and later redefines
+                        // it as dangerous leading to the group auto-grant.
+                        if ((perm.info.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
+                                == PermissionInfo.PROTECTION_DANGEROUS) {
+                            if (bp != null && !bp.isRuntime()) {
+                                Slog.w(TAG, "Package " + pkg.packageName + " trying to change a "
+                                        + "non-runtime permission " + perm.info.name
+                                        + " to runtime; keeping old protection level");
+                                perm.info.protectionLevel = bp.protectionLevel;
+                            }
+                        }
                     }
                 }
             }
author	Svetoslav Ganov <svetoslavganov@google.com>	2016-12-29 14:36:58 -0800
committer	gitbuildkicker <android-build@google.com>	2017-03-23 10:57:25 -0700
commit	5e6dc55c12fac2ec037c85706f7c17059a28099e (patch)
tree	e4a12858045eba410c1f02290b749238f79a9b4e
parent	dbce71357e908e88547661978784e71af51f1ead (diff)
download	base-5e6dc55c12fac2ec037c85706f7c17059a28099e.tar.gz