commit ef9acb6ed97ececa4c8554adb693ec948a963db1
author Todd Kennedy <toddke@google.com> Tue May 29 15:18:06 2018 -0700
committer Todd Kennedy <toddke@google.com> Wed May 30 13:56:17 2018 -0700
tree 88965c52e964c34056ba99735d7f2a66577c45fc
parent e3348a25935099838a917cf4556c4dccc714e0ef

Ensure permission held for MATCH_KNOWN_PACKAGES

There's an escape clause that passes the cross user permissions
if the caller UID is identical to the target user ID [eg. we're not
operating across users]. However, the method getInstalledPackagesList()
uses android.permission.INTERACT_ACROSS_USERS to filter the results and
a calling UID check is not sufficient. Ensuure the permission is
actually held, regardless of the calling UID or target user.

Change-Id: Iebf88668766d387a15246d6eea6420610665105a
Fixes: 80435086
Test: atest CtsAppSecurityHostTestCases:ApplicationVisibilityTest

services/core/java/com/android/server/pm/permission/PermissionManagerService.java

diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
index 36fc120..c51a724 100644
--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
@@ -1381,7 +1381,9 @@
                 "grantRuntimePermission");
 
         enforceCrossUserPermission(callingUid, userId,
-                true /* requireFullPermission */, true /* checkShell */,
+                true,  // requireFullPermission
+                true,  // checkShell
+                false, // requirePermissionWhenSameUser
                 "grantRuntimePermission");
 
         final PackageParser.Package pkg = mPackageManagerInt.getPackage(packageName);
@@ -1501,7 +1503,9 @@
                 "revokeRuntimePermission");
 
         enforceCrossUserPermission(Binder.getCallingUid(), userId,
-                true /* requireFullPermission */, true /* checkShell */,
+                true,  // requireFullPermission
+                true,  // checkShell
+                false, // requirePermissionWhenSameUser
                 "revokeRuntimePermission");
 
         final int appId;
@@ -1658,7 +1662,9 @@
         enforceGrantRevokeRuntimePermissionPermissions("getPermissionFlags");
 
         enforceCrossUserPermission(callingUid, userId,
-                true /* requireFullPermission */, false /* checkShell */,
+                true,  // requireFullPermission
+                false, // checkShell
+                false, // requirePermissionWhenSameUser
                 "getPermissionFlags");
 
         final PackageParser.Package pkg = mPackageManagerInt.getPackage(packageName);
@@ -1849,7 +1855,9 @@
         enforceGrantRevokeRuntimePermissionPermissions("updatePermissionFlags");
 
         enforceCrossUserPermission(callingUid, userId,
-                true /* requireFullPermission */, true /* checkShell */,
+                true,  // requireFullPermission
+                true,  // checkShell
+                false, // requirePermissionWhenSameUser
                 "updatePermissionFlags");
 
         // Only the system can change these flags and nothing else.
@@ -1904,7 +1912,9 @@
         enforceGrantRevokeRuntimePermissionPermissions(
                 "updatePermissionFlagsForAllApps");
         enforceCrossUserPermission(callingUid, userId,
-                true /* requireFullPermission */, true /* checkShell */,
+                true,  // requireFullPermission
+                true,  // checkShell
+                false, // requirePermissionWhenSameUser
                 "updatePermissionFlagsForAllApps");
 
         // Only the system can change system fixed flags.
@@ -1944,7 +1954,8 @@
      * @param message the message to log on security exception
      */
     private void enforceCrossUserPermission(int callingUid, int userId,
-            boolean requireFullPermission, boolean checkShell, String message) {
+            boolean requireFullPermission, boolean checkShell,
+            boolean requirePermissionWhenSameUser, String message) {
         if (userId < 0) {
             throw new IllegalArgumentException("Invalid userId " + userId);
         }
@@ -1952,7 +1963,7 @@
             PackageManagerServiceUtils.enforceShellRestriction(
                     UserManager.DISALLOW_DEBUGGING_FEATURES, callingUid, userId);
         }
-        if (userId == UserHandle.getUserId(callingUid)) return;
+        if (!requirePermissionWhenSameUser && userId == UserHandle.getUserId(callingUid)) return;
         if (callingUid != Process.SYSTEM_UID && callingUid != Process.ROOT_UID) {
             if (requireFullPermission) {
                 mContext.enforceCallingOrSelfPermission(
@@ -2139,7 +2150,14 @@
         public void enforceCrossUserPermission(int callingUid, int userId,
                 boolean requireFullPermission, boolean checkShell, String message) {
             PermissionManagerService.this.enforceCrossUserPermission(callingUid, userId,
-                    requireFullPermission, checkShell, message);
+                    requireFullPermission, checkShell, false, message);
+        }
+        @Override
+        public void enforceCrossUserPermission(int callingUid, int userId,
+                boolean requireFullPermission, boolean checkShell,
+                boolean requirePermissionWhenSameUser, String message) {
+            PermissionManagerService.this.enforceCrossUserPermission(callingUid, userId,
+                    requireFullPermission, checkShell, requirePermissionWhenSameUser, message);
         }
         @Override
         public void enforceGrantRevokeRuntimePermissionPermissions(String message) {