commit b8839dd35723235469a4e805682378c84f50a4fb
author Dianne Hackborn <hackbod@google.com> Tue Sep 04 10:55:44 2012 -0700
committer Dianne Hackborn <hackbod@google.com> Tue Sep 04 12:11:21 2012 -0700
tree 9d17b1b72650ec1beae76b71ca8a85e5d59801a9
parent b788556bfde48c1f94c46bda4f4b8d576d5cfb81

Fix issue #7097984 java.lang.SecurityException: Permission Denial:

broadcast asks to run as user -1 but is calling from user 0; this requires

Also improve part of issue #7087789: Local denial of service via
low-permissioned apps

No longer allow closeSystemDialogs() from background processes.

Change-Id: I752d5a1d51be0b69fde6999d6659835e5bde3efe

services/java/com/android/server/am/ActivityManagerService.java

diff --git a/services/java/com/android/server/am/ActivityManagerService.java b/services/java/com/android/server/am/ActivityManagerService.java
index 3c379d17..db2ec5b 100644
--- a/services/java/com/android/server/am/ActivityManagerService.java
+++ b/services/java/com/android/server/am/ActivityManagerService.java
@@ -153,7 +153,6 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicLong;
@@ -3571,15 +3570,32 @@
     public void closeSystemDialogs(String reason) {
         enforceNotIsolatedCaller("closeSystemDialogs");
 
+        final int pid = Binder.getCallingPid();
         final int uid = Binder.getCallingUid();
         final long origId = Binder.clearCallingIdentity();
-        synchronized (this) {
-            closeSystemDialogsLocked(uid, reason);
+        try {
+            synchronized (this) {
+                // Only allow this from foreground processes, so that background
+                // applications can't abuse it to prevent system UI from being shown.
+                if (uid >= Process.FIRST_APPLICATION_UID) {
+                    ProcessRecord proc;
+                    synchronized (mPidsSelfLocked) {
+                        proc = mPidsSelfLocked.get(pid);
+                    }
+                    if (proc.curRawAdj > ProcessList.PERCEPTIBLE_APP_ADJ) {
+                        Slog.w(TAG, "Ignoring closeSystemDialogs " + reason
+                                + " from background process " + proc);
+                        return;
+                    }
+                }
+                closeSystemDialogsLocked(reason);
+            }
+        } finally {
+            Binder.restoreCallingIdentity(origId);
         }
-        Binder.restoreCallingIdentity(origId);
     }
 
-    void closeSystemDialogsLocked(int callingUid, String reason) {
+    void closeSystemDialogsLocked(String reason) {
         Intent intent = new Intent(Intent.ACTION_CLOSE_SYSTEM_DIALOGS);
         intent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
         if (reason != null) {
@@ -3595,14 +3611,9 @@
             }
         }
 
-        final long origId = Binder.clearCallingIdentity();
-        try {
-            broadcastIntentLocked(null, null, intent, null,
-                    null, 0, null, null, null, false, false, -1,
-                    callingUid, UserHandle.USER_ALL);
-        } finally {
-            Binder.restoreCallingIdentity(origId);
-        }
+        broadcastIntentLocked(null, null, intent, null,
+                null, 0, null, null, null, false, false, -1,
+                Process.SYSTEM_UID, UserHandle.USER_ALL);
     }
 
     public Debug.MemoryInfo[] getProcessMemoryInfo(int[] pids)