commit 4bff4ffdf1028c4ae4d09921f35e309567d94c32
author Cassie Wang <cassiewang@google.com> Fri Jul 16 13:03:19 2021 -0700
committer Cassie Wang <cassiewang@google.com> Mon Jul 19 16:17:29 2021 -0700
tree d60deda8c8669e94c176be79185ec9c03ce97c60
parent 1dd1ddc9914ad290208b42a251cf58c39b980109

Ensure calling user is the same as requested user.

This prevents any cross-user requests. Cross-user requests are already
not allowed, but due to a bug elsewhere in the code. This intentionally
handles the case and also throws a SecurityException.

Bug: 193903221
Test: presubmit
Test: manually checked cross-user requests get an exception.
Change-Id: I5bd867b86b972452daa2d8253f3c19f059a8a4b3

service/java/com/android/server/appsearch/AppSearchManagerService.java

diff --git a/service/java/com/android/server/appsearch/AppSearchManagerService.java b/service/java/com/android/server/appsearch/AppSearchManagerService.java
index 666d497..1d66beb 100644
--- a/service/java/com/android/server/appsearch/AppSearchManagerService.java
+++ b/service/java/com/android/server/appsearch/AppSearchManagerService.java
@@ -18,7 +18,6 @@
 import static android.app.appsearch.AppSearchResult.throwableToFailedResult;
 import static android.os.Process.INVALID_UID;
 
-import android.Manifest;
 import android.annotation.ElapsedRealtimeLong;
 import android.annotation.NonNull;
 import android.app.appsearch.AppSearchBatchResult;
@@ -1354,43 +1353,26 @@
     /**
      * Helper for dealing with incoming user arguments to system service calls.
      *
-     * <p>Takes care of checking permissions and converting USER_CURRENT to the actual current user.
-     *
      * @param requestedUser The user which the caller is requesting to execute as.
      * @param callingUid The actual uid of the caller as determined by Binder.
      * @return the user handle that the call should run as. Will always be a concrete user.
      */
     @NonNull
     private UserHandle handleIncomingUser(@NonNull UserHandle requestedUser, int callingUid) {
-        int callingPid = Binder.getCallingPid();
         UserHandle callingUser = UserHandle.getUserHandleForUid(callingUid);
         if (callingUser.equals(requestedUser)) {
             return requestedUser;
         }
+
         // Duplicates UserController#ensureNotSpecialUser
         if (requestedUser.getIdentifier() < 0) {
             throw new IllegalArgumentException(
                     "Call does not support special user " + requestedUser);
         }
-        boolean canInteractAcrossUsers = mContext.checkPermission(
-                Manifest.permission.INTERACT_ACROSS_USERS,
-                callingPid,
-                callingUid) == PackageManager.PERMISSION_GRANTED;
-        if (!canInteractAcrossUsers) {
-            canInteractAcrossUsers = mContext.checkPermission(
-                    Manifest.permission.INTERACT_ACROSS_USERS_FULL,
-                    callingPid,
-                    callingUid) == PackageManager.PERMISSION_GRANTED;
-        }
-        if (canInteractAcrossUsers) {
-            return requestedUser;
-        }
+
         throw new SecurityException(
-                "Permission denied while calling from uid " + callingUid
-                        + " with " + requestedUser + "; Need to run as either the calling user ("
-                        + callingUser + "), or with one of the following permissions: "
-                        + Manifest.permission.INTERACT_ACROSS_USERS + " or "
-                        + Manifest.permission.INTERACT_ACROSS_USERS_FULL);
+                "Requested user, " + requestedUser + ", is not the same as the calling user, "
+                        + callingUser + ".");
     }
 
     /**