Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / a5333b952837a880262121174b60809a82ab00dc^! / .
commita5333b952837a880262121174b60809a82ab00dc[log] [tgz]
authorAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Mon Mar 16 15:48:50 2020 +0000
committerCody Kesting <ckesting@google.com>Tue Mar 17 00:21:50 2020 -0700
treec7c5ed085c742c6ff21e1776395f2be0f8ccac6c
parent9347e33557713af56b3ef3f83fdee4ed6c55ac90 [diff]
Protect ConnectivityService from SecurityException in permission check.

ConnectivityService currently calls
LocationPermissionChecker#checkLocationPermission. This method call
throws a SecurityException if the given package name and UID do not
match. This permission check is made from the ConnectivityService
Thread, so any Exception being thrown will crash the SystemServer. This
is not acceptable, so surround the permission check in a try-catch in
case any SecurityExceptions are thrown.

Bug: 149119324
Test: atest ConnectivityServiceTest
Change-Id: Ibe2874f2a5249432270aa1b9eb7d004bbba35ac2
Merged-In: Ibe2874f2a5249432270aa1b9eb7d004bbba35ac2
(cherry picked from commit 9eacc855b63b36f5b937e703b20d4b0bb077ab75)

diff --git a/services/core/java/com/android/server/ConnectivityService.java b/services/core/java/com/android/server/ConnectivityService.java
index 62ea862..deae459 100644
--- a/services/core/java/com/android/server/ConnectivityService.java
+++ b/services/core/java/com/android/server/ConnectivityService.java

@@ -7892,8 +7892,15 @@
             return true;
         }
 
-        if (!mLocationPermissionChecker.checkLocationPermission(
-                callbackPackageName, null /* featureId */, callbackUid, null /* message */)) {
+        // LocationPermissionChecker#checkLocationPermission can throw SecurityException if the uid
+        // and package name don't match. Throwing on the CS thread is not acceptable, so wrap the
+        // call in a try-catch.
+        try {
+            if (!mLocationPermissionChecker.checkLocationPermission(
+                    callbackPackageName, null /* featureId */, callbackUid, null /* message */)) {
+                return false;
+            }
+        } catch (SecurityException e) {
             return false;
         }
 

diff --git a/tests/net/java/com/android/server/ConnectivityServiceTest.java b/tests/net/java/com/android/server/ConnectivityServiceTest.java
index de8bf3c..c21772a 100644
--- a/tests/net/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/net/java/com/android/server/ConnectivityServiceTest.java

@@ -6789,6 +6789,26 @@
     }
 
     @Test
+    public void testCheckConnectivityDiagnosticsPermissionsWrongUidPackageName() throws Exception {
+        final NetworkAgentInfo naiWithoutUid =
+                new NetworkAgentInfo(
+                        null, null, null, null, null, new NetworkCapabilities(), 0,
+                        mServiceContext, null, null, mService, null, null, null, 0);
+
+        mServiceContext.setPermission(android.Manifest.permission.NETWORK_STACK, PERMISSION_DENIED);
+
+        try {
+            assertFalse(
+                    "Mismatched uid/package name should not pass the location permission check",
+                    mService.checkConnectivityDiagnosticsPermissions(
+                            Process.myPid() + 1, Process.myUid() + 1, naiWithoutUid,
+                            mContext.getOpPackageName()));
+        } catch (SecurityException e) {
+            fail("checkConnectivityDiagnosticsPermissions shouldn't surface a SecurityException");
+        }
+    }
+
+    @Test
     public void testCheckConnectivityDiagnosticsPermissionsNoLocationPermission() throws Exception {
         final NetworkAgentInfo naiWithoutUid =
                 new NetworkAgentInfo(