Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions.
This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.
Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java#testSpoofPackageName
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
BYPASS_INCLUSIVE_LANGUAGE_REASON=Legacy API
(cherry picked from commit 023509e4871c0dafb842dc812bfa62e8d59cbfae)
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
index c82a45f..3781ffa 100644
--- a/services/core/java/com/android/server/am/ActiveServices.java
+++ b/services/core/java/com/android/server/am/ActiveServices.java
@@ -4983,10 +4983,17 @@
return true;
}
- final boolean isWhiteListedPackage =
- mWhiteListAllowWhileInUsePermissionInFgs.contains(callingPackage);
- if (isWhiteListedPackage) {
- return true;
+
+ if (verifyPackage(callingPackage, callingUid)) {
+ final boolean isWhiteListedPackage =
+ mWhiteListAllowWhileInUsePermissionInFgs.contains(callingPackage);
+ if (isWhiteListedPackage) {
+ return true;
+ }
+ } else {
+ EventLog.writeEvent(0x534e4554, "215003903", callingUid,
+ "callingPackage:" + callingPackage + " does not belong to callingUid:"
+ + callingUid);
}
// Is the calling UID a device owner app?
@@ -5025,4 +5032,21 @@
r.mAllowWhileInUsePermissionInFgs = false;
r.mLastSetFgsRestrictionTime = 0;
}
+
+ /**
+ * Checks if a given packageName belongs to a given uid.
+ * @param packageName the package of the caller
+ * @param uid the uid of the caller
+ * @return true or false
+ */
+ private boolean verifyPackage(String packageName, int uid) {
+ if (uid == ROOT_UID || uid == SYSTEM_UID) {
+ //System and Root are always allowed
+ return true;
+ }
+ final int userId = UserHandle.getUserId(uid);
+ final int packageUid = mAm.getPackageManagerInternalLocked()
+ .getPackageUid(packageName, PackageManager.MATCH_DEBUG_TRIAGED_MISSING, userId);
+ return UserHandle.isSameApp(uid, packageUid);
+ }
}