commit b0613dceb0db9d75edc19f104af4cd198745d991
author Jeff Sharkey <jsharkey@android.com> Tue Feb 27 14:38:04 2018 -0700
committer Jeff Sharkey <jsharkey@google.com> Wed Feb 28 23:06:04 2018 +0000
tree 40d06795612dbd57c457e739a56b7b81c861774b
parent d0f517b9df46926d803c7d9963c70791b2af1c01

Force loading of safe labels in system_server.

It's too easy for code to accidentally use loadLabel() when building
strings for security sensitive contexts, so add ability for a process
to always force loading of safe strings.

Test: builds, boots
Bug: 73657770
Change-Id: I1c7645bd7bebed0cfb6bc3e5bfd36c8cb11d4838

core/java/android/content/pm/PackageItemInfo.java

diff --git a/core/java/android/content/pm/PackageItemInfo.java b/core/java/android/content/pm/PackageItemInfo.java
index 2c0c6ad0..53ffd55 100644
--- a/core/java/android/content/pm/PackageItemInfo.java
+++ b/core/java/android/content/pm/PackageItemInfo.java
@@ -43,6 +43,14 @@
  */
 public class PackageItemInfo {
     private static final float MAX_LABEL_SIZE_PX = 500f;
+
+    private static volatile boolean sForceSafeLabels = false;
+
+    /** {@hide} */
+    public static void setForceSafeLabels(boolean forceSafeLabels) {
+        sForceSafeLabels = forceSafeLabels;
+    }
+
     /**
      * Public name of this item. From the "android:name" attribute.
      */
@@ -128,7 +136,16 @@
      * @return Returns a CharSequence containing the item's label.  If the
      * item does not have a label, its name is returned.
      */
-    public CharSequence loadLabel(PackageManager pm) {
+    public @NonNull CharSequence loadLabel(@NonNull PackageManager pm) {
+        if (sForceSafeLabels) {
+            return loadSafeLabel(pm);
+        } else {
+            return loadUnsafeLabel(pm);
+        }
+    }
+
+    /** {@hide} */
+    public CharSequence loadUnsafeLabel(PackageManager pm) {
         if (nonLocalizedLabel != null) {
             return nonLocalizedLabel;
         }
@@ -163,7 +180,7 @@
     @SystemApi
     public @NonNull CharSequence loadSafeLabel(@NonNull PackageManager pm) {
         // loadLabel() always returns non-null
-        String label = loadLabel(pm).toString();
+        String label = loadUnsafeLabel(pm).toString();
         // strip HTML tags to avoid <br> and other tags overwriting original message
         String labelStr = Html.fromHtml(label).toString();
 

services/java/com/android/server/SystemServer.java

diff --git a/services/java/com/android/server/SystemServer.java b/services/java/com/android/server/SystemServer.java
index 5b5de0e..ccfadc0 100644
--- a/services/java/com/android/server/SystemServer.java
+++ b/services/java/com/android/server/SystemServer.java
@@ -23,6 +23,7 @@
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.Intent;
+import android.content.pm.PackageItemInfo;
 import android.content.pm.PackageManager;
 import android.content.res.Configuration;
 import android.content.res.Resources.Theme;
@@ -331,6 +332,8 @@
 
             // The system server should never make non-oneway calls
             Binder.setWarnOnBlocking(true);
+            // The system server should always load safe labels
+            PackageItemInfo.setForceSafeLabels(true);
             // Deactivate SQLiteCompatibilityWalFlags until settings provider is initialized
             SQLiteCompatibilityWalFlags.init(null);