Lock down IInputMethodManager#shellCommand() based on caller UID
This is part of our on-going effort to review caller verifications in
InputMethodManagerService (IMMS).
In Android P, IMMS started relying on IBinder#shellCommand() to
implement 'adb shell ime' command [1]. When handling incoming
request, following caller verifications are used depending on the
command type.
* IMMS#calledFromValidUserLocked()
* This can be bypassed with INTERACT_ACROSS_USERS_FULL permission
* WRITE_SECURE_SETTINGS permission
From the viewpoint of caller verification, this is basically the same
as how commands like 'adb shell ime' were handled before
IBinder#shellCommand().
What this CL aims to do is adding one more foolproof to this protocol.
Given that all commands exposed via IInputMethodManager#shellCommand()
are intended to be used only from "shell" environment, it is most
likely safe to reject any request from non-shell users. With this
additional restriction, even if some caller verification was
accidentally missed in those shell commands such a security hole would
not be exposed to random applications.
[1]: I9a2dbbf1d4494addbe22c82e2c416eedc4d585f2
926488d70d09baefee0489537b2915602deaeebf
Bug: 34886274
Fix: 121989657
Test: Following commands still work, before/after "adb shell root"
* adb shell ime
* adb shell ime list
* adb shell ime set com.android.inputmethod.latin/.LatinIME
* adb shell cmd input_method
* adb shell cmd input_method refresh_debug_properties
* adb shell dumpsys input_method
Test: atest CtsInputMethodTestCases CtsInputMethodServiceHostTestCases
Change-Id: If87189563ccaacd4f9c666bab4f9ad08a9343084
1 file changed