commit 620e36871ec2b516ae92a62f6e3e08d2b85274bc
author Hui Yu <huiyu@google.com> Sat May 07 21:43:23 2022 -0700
committer Bharath <bharath@fairphone.com> Wed Jul 13 20:13:09 2022 +0530
tree 0e9f438d36f2b4c53c93569083e8053b943abfd9
parent 52bcd222e64ccf98c45ca882f80e3f1f65138b52

Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions.

This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.

Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java#testSpoofPackageName
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
BYPASS_INCLUSIVE_LANGUAGE_REASON=Legacy API
(cherry picked from commit 023509e4871c0dafb842dc812bfa62e8d59cbfae)
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89

services/core/java/com/android/server/am/ActiveServices.java

diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
index c82a45f..3781ffa 100644
--- a/services/core/java/com/android/server/am/ActiveServices.java
+++ b/services/core/java/com/android/server/am/ActiveServices.java
@@ -4983,10 +4983,17 @@
             return true;
         }
 
-        final boolean isWhiteListedPackage =
-                mWhiteListAllowWhileInUsePermissionInFgs.contains(callingPackage);
-        if (isWhiteListedPackage) {
-            return true;
+
+        if (verifyPackage(callingPackage, callingUid)) { 
+            final boolean isWhiteListedPackage = 
+                    mWhiteListAllowWhileInUsePermissionInFgs.contains(callingPackage);
+            if (isWhiteListedPackage) {
+                return true;
+            }
+        } else {
+            EventLog.writeEvent(0x534e4554, "215003903", callingUid,
+                    "callingPackage:" + callingPackage + " does not belong to callingUid:"
+                    + callingUid);
         }
 
         // Is the calling UID a device owner app?
@@ -5025,4 +5032,21 @@
         r.mAllowWhileInUsePermissionInFgs = false;
         r.mLastSetFgsRestrictionTime = 0;
     }
+
+    /**
+     * Checks if a given packageName belongs to a given uid.
+     * @param packageName the package of the caller
+     * @param uid the uid of the caller
+     * @return true or false
+     */
+    private boolean verifyPackage(String packageName, int uid) {
+        if (uid == ROOT_UID || uid == SYSTEM_UID) {
+            //System and Root are always allowed
+            return true;
+        }
+        final int userId = UserHandle.getUserId(uid);
+        final int packageUid = mAm.getPackageManagerInternalLocked()
+                .getPackageUid(packageName, PackageManager.MATCH_DEBUG_TRIAGED_MISSING, userId);
+        return UserHandle.isSameApp(uid, packageUid);
+    }
 }