Fix uri permission grant on remote bug report uri
System server is no longer allowed to grant uri permission directly. As a result
we use grantUriPermissionFromIntent() to grant permission from the shell UID,
who is the owner of the bug report content.
Also fix a security bug where the broadcast to notify user consent of remote
bug report mismatches the <protected-broadcast> definition, causing it to be
sendable by anyone.
Bug: 34159108
Test: manual - Install TestDPC and request bugreport, try accept and decline
once the report is ready (Bullhead).
Change-Id: I66e3f2a16d4547549f09d3c96d52aed2330caedf
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 52d7386..d5d3449 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -377,7 +377,7 @@
* @hide
*/
public static final String ACTION_BUGREPORT_SHARING_ACCEPTED =
- "com.android.server.action.BUGREPORT_SHARING_ACCEPTED";
+ "com.android.server.action.REMOTE_BUGREPORT_SHARING_ACCEPTED";
/**
* Action: Bugreport sharing with device owner has been declined by the user.
@@ -385,7 +385,7 @@
* @hide
*/
public static final String ACTION_BUGREPORT_SHARING_DECLINED =
- "com.android.server.action.BUGREPORT_SHARING_DECLINED";
+ "com.android.server.action.REMOTE_BUGREPORT_SHARING_DECLINED";
/**
* Action: Bugreport has been collected and is dispatched to {@code DevicePolicyManagerService}.
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index 3c1d274..2281140 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -60,6 +60,7 @@
import android.annotation.UserIdInt;
import android.app.Activity;
import android.app.ActivityManager;
+import android.app.ActivityManagerInternal;
import android.app.AlarmManager;
import android.app.AppGlobals;
import android.app.IActivityManager;
@@ -6151,8 +6152,12 @@
intent.setComponent(mOwners.getDeviceOwnerComponent());
intent.setDataAndType(bugreportUri, RemoteBugreportUtils.BUGREPORT_MIMETYPE);
intent.putExtra(DeviceAdminReceiver.EXTRA_BUGREPORT_HASH, bugreportHash);
- mContext.grantUriPermission(mOwners.getDeviceOwnerComponent().getPackageName(),
- bugreportUri, Intent.FLAG_GRANT_READ_URI_PERMISSION);
+ intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+
+ LocalServices.getService(ActivityManagerInternal.class)
+ .grantUriPermissionFromIntent(Process.SHELL_UID,
+ mOwners.getDeviceOwnerComponent().getPackageName(),
+ intent, mOwners.getDeviceOwnerUserId());
mContext.sendBroadcastAsUser(intent, UserHandle.of(mOwners.getDeviceOwnerUserId()));
}
} catch (FileNotFoundException e) {