diff options
| author | 2021-04-28 11:59:33 +0100 | |
|---|---|---|
| committer | 2021-04-29 13:36:57 +0100 | |
| commit | 2c09c34140445973b9170dc1430790d35031ad0d (patch) | |
| tree | 784a9685289bca0f3ebae8bb444c96a3ca757809 | |
| parent | 3e7a628f0fba7c8b8f0dddc41dd061bd876a9c02 (diff) | |
Fix security vulnerability in DPMS#isProvisioningAllowed
isProvisioningAllowed was calling packageManager#getPackageUidAsUser for
the provided packageName to compare against the callerUid, this call
throws a NameNotFoundException if the package isn't installed. This allows the caller to identify if an package is installed or not without holding the QUERY_ALL_PACKAGES permission.
This is now changed to call packageManager#getPackagesForUid for the calling uid and comparing it against the provided packageName.
If an uninstalled package is provided, it will now fail with a general
error message "Caller uid doesn't match the one for the provided package."
Test: Confirmed that the PoC app can no longer query which packages are
installed
Test: atest com.android.cts.devicepolicy.CustomManagedProfileTest#testIsProvisioningAllowed
Bug: 184525395
Change-Id: I13135d941f4944b4313ab2a2b20f1af30a5880a5
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 8 | ||||
| -rw-r--r-- | services/tests/servicestests/src/com/android/server/devicepolicy/DpmTestBase.java | 2 |
2 files changed, 5 insertions, 5 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index d9fa47135111..26b3e93eee42 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -13311,12 +13311,10 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { final CallerIdentity caller = getCallerIdentity(); final long ident = mInjector.binderClearCallingIdentity(); try { - final int uidForPackage = mInjector.getPackageManager().getPackageUidAsUser( - packageName, caller.getUserId()); - Preconditions.checkArgument(caller.getUid() == uidForPackage, + final List<String> callerUidPackageNames = Arrays.asList( + mInjector.getPackageManager().getPackagesForUid(caller.getUid())); + Preconditions.checkArgument(callerUidPackageNames.contains(packageName), "Caller uid doesn't match the one for the provided package."); - } catch (NameNotFoundException e) { - throw new IllegalArgumentException("Invalid package provided " + packageName, e); } finally { mInjector.binderRestoreCallingIdentity(ident); } diff --git a/services/tests/servicestests/src/com/android/server/devicepolicy/DpmTestBase.java b/services/tests/servicestests/src/com/android/server/devicepolicy/DpmTestBase.java index 81570a10fc13..fe0df5818651 100644 --- a/services/tests/servicestests/src/com/android/server/devicepolicy/DpmTestBase.java +++ b/services/tests/servicestests/src/com/android/server/devicepolicy/DpmTestBase.java @@ -253,6 +253,8 @@ public abstract class DpmTestBase { doReturn(new String[] {admin.getPackageName()}).when(mServices.ipackageManager) .getPackagesForUid(eq(packageUid)); + doReturn(new String[] {admin.getPackageName()}).when(mServices.packageManager) + .getPackagesForUid(eq(packageUid)); // Set up getPackageInfo(). markPackageAsInstalled(admin.getPackageName(), ai, UserHandle.getUserId(packageUid)); } |