diff options
author | Jeff Sharkey <jsharkey@android.com> | 2017-06-12 17:33:07 -0600 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2017-11-09 19:14:31 +0000 |
commit | 1dc064f2d0d37c8929c95847584d41b40050ab7c (patch) | |
tree | 0c72d3a4264b690c17a494879b129f1cbe1bf426 | |
parent | 43c346847756584bb58247510cb1b3249985fc27 (diff) | |
download | base-1dc064f2d0d37c8929c95847584d41b40050ab7c.tar.gz |
DO NOT MERGE. KEY_INTENT shouldn't grant permissions.
KEY_INTENT has no business granting any Uri permissions, so remove
any grant flags that malicious apps may have tried sneaking in.
Also fix ordering bug in general-purpose security check that was
allowing FLAG_GRANT_PERSISTABLE to bypass it.
Test: builds, boots
Bug: 32990341, 32879915
Change-Id: I657455a770c81f045ccce6abbd2291407a1cfb42
(cherry picked from commit d722e780bac7685e8a012b5f479eba8c348c3c53)
(cherry picked from commit dba1bb07e04b51b1bd0a1251711781e731ce9524)
-rw-r--r-- | services/core/java/com/android/server/accounts/AccountManagerService.java | 4 | ||||
-rw-r--r-- | services/core/java/com/android/server/am/ActivityManagerService.java | 23 |
2 files changed, 17 insertions, 10 deletions
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java index f0b1b3baee17..ef8a5758e873 100644 --- a/services/core/java/com/android/server/accounts/AccountManagerService.java +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java @@ -4703,6 +4703,10 @@ public class AccountManagerService protected void checkKeyIntent( int authUid, Intent intent) throws SecurityException { + intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION + | Intent.FLAG_GRANT_WRITE_URI_PERMISSION + | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION + | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION)); long bid = Binder.clearCallingIdentity(); try { PackageManager pm = mContext.getPackageManager(); diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index 186d0f40f43a..64eb97070d61 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -8629,6 +8629,19 @@ public class ActivityManagerService extends IActivityManager.Stub return -1; } + // Bail early if system is trying to hand out permissions directly; it + // must always grant permissions on behalf of someone explicit. + final int callingAppId = UserHandle.getAppId(callingUid); + if ((callingAppId == SYSTEM_UID) || (callingAppId == ROOT_UID)) { + if ("com.android.settings.files".equals(grantUri.uri.getAuthority())) { + // Exempted authority for cropping user photos in Settings app + } else { + Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission" + + " grant to " + grantUri + "; use startActivityAsCaller() instead"); + return -1; + } + } + final String authority = grantUri.uri.getAuthority(); final ProviderInfo pi = getProviderInfoLocked(authority, grantUri.sourceUserId, MATCH_DEBUG_TRIAGED_MISSING); @@ -8724,16 +8737,6 @@ public class ActivityManagerService extends IActivityManager.Stub // Third... does the caller itself have permission to access // this uri? - final int callingAppId = UserHandle.getAppId(callingUid); - if ((callingAppId == SYSTEM_UID) || (callingAppId == ROOT_UID)) { - if ("com.android.settings.files".equals(grantUri.uri.getAuthority())) { - // Exempted authority for cropping user photos in Settings app - } else { - Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission" - + " grant to " + grantUri + "; use startActivityAsCaller() instead"); - return -1; - } - } if (!checkHoldingPermissionsLocked(pm, pi, grantUri, callingUid, modeFlags)) { // Require they hold a strong enough Uri permission if (!checkUriPermissionLocked(grantUri, callingUid, modeFlags)) { |