Fix a security check in getting app restrictions
Change-Id: I02fbab8765d3f8646d0fe62ee867566d1d14707d
diff --git a/services/java/com/android/server/pm/UserManagerService.java b/services/java/com/android/server/pm/UserManagerService.java
index aa1b2ff..3ef9370 100644
--- a/services/java/com/android/server/pm/UserManagerService.java
+++ b/services/java/com/android/server/pm/UserManagerService.java
@@ -963,7 +963,7 @@
@Override
public List<RestrictionEntry> getApplicationRestrictions(String packageName, int userId) {
if (UserHandle.getCallingUserId() != userId
- || Binder.getCallingUid() != getUidForPackage(packageName)) {
+ || !UserHandle.isSameApp(Binder.getCallingUid(), getUidForPackage(packageName))) {
checkManageUsersPermission("Only system can get restrictions for other users/apps");
}
synchronized (mPackagesLock) {
@@ -976,7 +976,7 @@
public void setApplicationRestrictions(String packageName, List<RestrictionEntry> entries,
int userId) {
if (UserHandle.getCallingUserId() != userId
- || Binder.getCallingUid() != getUidForPackage(packageName)) {
+ || !UserHandle.isSameApp(Binder.getCallingUid(), getUidForPackage(packageName))) {
checkManageUsersPermission("Only system can set restrictions for other users/apps");
}
synchronized (mPackagesLock) {
@@ -986,11 +986,14 @@
}
private int getUidForPackage(String packageName) {
+ long ident = Binder.clearCallingIdentity();
try {
return mContext.getPackageManager().getApplicationInfo(packageName,
PackageManager.GET_UNINSTALLED_PACKAGES).uid;
} catch (NameNotFoundException nnfe) {
return -1;
+ } finally {
+ Binder.restoreCallingIdentity(ident);
}
}