Track isolated process owners
This fixes two issues:
1) Isolated processes spawned by Instant Apps do not get full access to
package lists as those spawned by normal apps do
2) Package manager considers the isolated process the same app as the
Instant App that created it when determining what packages are exposed.
Bug: 34087569
Test: Webview works
Test: Isolated apps cannot access package info of other apps via start
an isolated service.
Change-Id: Ib26280b87fb46dc66f1f25ee6209427a095342b0
diff --git a/core/java/android/content/pm/PackageManagerInternal.java b/core/java/android/content/pm/PackageManagerInternal.java
index 6272822..0a0d92c 100644
--- a/core/java/android/content/pm/PackageManagerInternal.java
+++ b/core/java/android/content/pm/PackageManagerInternal.java
@@ -312,4 +312,17 @@
*/
public abstract ResolveInfo resolveIntent(Intent intent, String resolvedType,
int flags, int userId);
+
+ /**
+ * Track the creator of a new isolated uid.
+ * @param isolatedUid The newly created isolated uid.
+ * @param ownerUid The uid of the app that created the isolated process.
+ */
+ public abstract void addIsolatedUid(int isolatedUid, int ownerUid);
+
+ /**
+ * Track removal of an isolated uid.
+ * @param isolatedUid isolated uid that is no longer being used.
+ */
+ public abstract void removeIsolatedUid(int isolatedUid);
}
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 7a83436..02ccee9 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -6591,6 +6591,7 @@
mBatteryStatsService.noteProcessFinish(app.processName, app.info.uid);
if (app.isolated) {
mBatteryStatsService.removeIsolatedUid(app.uid, app.info.uid);
+ getPackageManagerInternalLocked().removeIsolatedUid(app.uid);
}
boolean willRestart = false;
if (app.persistent && !app.isolated) {
@@ -12084,6 +12085,7 @@
// the uid of the isolated process is specified by the caller.
uid = isolatedUid;
}
+ getPackageManagerInternalLocked().addIsolatedUid(uid, info.uid);
// Register the isolated UID with this application so BatteryStats knows to
// attribute resource usage to the application.
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 8cc9375..2fb3968 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -653,6 +653,11 @@
final ArrayMap<String, Set<String>> mKnownCodebase =
new ArrayMap<String, Set<String>>();
+ // Keys are isolated uids and values are the uid of the application
+ // that created the isolated proccess.
+ @GuardedBy("mPackages")
+ final SparseIntArray mIsolatedOwners = new SparseIntArray();
+
// List of APK paths to load for each user and package. This data is never
// persisted by the package manager. Instead, the overlay manager will
// ensure the data is up-to-date in runtime.
@@ -6174,6 +6179,10 @@
* instant, returns {@code null}.
*/
private String getInstantAppPackageName(int callingUid) {
+ // If the caller is an isolated app use the owner's uid for the lookup.
+ if (Process.isIsolated(callingUid)) {
+ callingUid = mIsolatedOwners.get(callingUid);
+ }
final int appId = UserHandle.getAppId(callingUid);
synchronized (mPackages) {
final Object obj = mSettings.getUserIdLPr(appId);
@@ -7347,17 +7356,22 @@
if (HIDE_EPHEMERAL_APIS || isEphemeralDisabled()) {
return false;
}
+ int uid = Binder.getCallingUid();
+ if (Process.isIsolated(uid)) {
+ uid = mIsolatedOwners.get(uid);
+ }
synchronized (mPackages) {
final PackageSetting ps = mSettings.mPackages.get(packageName);
+ PackageParser.Package pkg = mPackages.get(packageName);
final boolean returnAllowed =
ps != null
- && (isCallerSameApp(packageName)
+ && (isCallerSameApp(packageName, uid)
|| mContext.checkCallingOrSelfPermission(
android.Manifest.permission.ACCESS_INSTANT_APPS)
== PERMISSION_GRANTED
|| mInstantAppRegistry.isInstantAccessGranted(
- userId, UserHandle.getAppId(Binder.getCallingUid()), ps.appId));
+ userId, UserHandle.getAppId(uid), ps.appId));
if (returnAllowed) {
return ps.getInstantApp(userId);
}
@@ -7374,7 +7388,7 @@
enforceCrossUserPermission(Binder.getCallingUid(), userId,
true /* requireFullPermission */, false /* checkShell */,
"getInstantAppCookie");
- if (!isCallerSameApp(packageName)) {
+ if (!isCallerSameApp(packageName, Binder.getCallingUid())) {
return null;
}
synchronized (mPackages) {
@@ -7392,7 +7406,7 @@
enforceCrossUserPermission(Binder.getCallingUid(), userId,
true /* requireFullPermission */, true /* checkShell */,
"setInstantAppCookie");
- if (!isCallerSameApp(packageName)) {
+ if (!isCallerSameApp(packageName, Binder.getCallingUid())) {
return false;
}
synchronized (mPackages) {
@@ -7420,10 +7434,10 @@
}
}
- private boolean isCallerSameApp(String packageName) {
+ private boolean isCallerSameApp(String packageName, int uid) {
PackageParser.Package pkg = mPackages.get(packageName);
return pkg != null
- && UserHandle.getAppId(Binder.getCallingUid()) == pkg.applicationInfo.uid;
+ && UserHandle.getAppId(uid) == pkg.applicationInfo.uid;
}
@Override
@@ -23176,6 +23190,21 @@
return resolveIntentInternal(
intent, resolvedType, flags, userId, true /*includeInstantApp*/);
}
+
+
+ @Override
+ public void addIsolatedUid(int isolatedUid, int ownerUid) {
+ synchronized (mPackages) {
+ mIsolatedOwners.put(isolatedUid, ownerUid);
+ }
+ }
+
+ @Override
+ public void removeIsolatedUid(int isolatedUid) {
+ synchronized (mPackages) {
+ mIsolatedOwners.delete(isolatedUid);
+ }
+ }
}
@Override