Bind to screenshot service for current user.

Let apps bindService() across user boundaries if they hold the
INTERACT_ACROSS_USERS_FULL permission.

Bug: 7012034
Change-Id: I2047d8318e1de47bfae7470d1dbc6fe5cfe44fdc

2 files changed, 21 insertions, 2 deletions

diff --git a/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java b/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java
index 209ad38b24f5..ab857f38d662 100755
--- a/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java
+++ b/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java
@@ -3134,7 +3134,8 @@ public class PhoneWindowManager implements WindowManagerPolicy {
                 @Override
                 public void onServiceDisconnected(ComponentName name) {}
             };
-            if (mContext.bindService(intent, conn, Context.BIND_AUTO_CREATE)) {
+            if (mContext.bindService(
+                    intent, conn, Context.BIND_AUTO_CREATE, UserHandle.USER_CURRENT)) {
                 mScreenshotConnection = conn;
                 mHandler.postDelayed(mScreenshotTimeout, 10000);
             }
diff --git a/services/java/com/android/server/am/ActivityManagerService.java b/services/java/com/android/server/am/ActivityManagerService.java
index 6e4759d31ab7..c14563e2a6c0 100644
--- a/services/java/com/android/server/am/ActivityManagerService.java
+++ b/services/java/com/android/server/am/ActivityManagerService.java
@@ -10673,7 +10673,25 @@ public final class ActivityManagerService extends ActivityManagerNative
             throw new IllegalArgumentException("File descriptors passed in Intent");
         }
 
-        checkValidCaller(Binder.getCallingUid(), userId);
+        if (userId != UserHandle.getCallingUserId()) {
+            // Requesting a different user, make sure that they have permission
+            if (checkComponentPermission(
+                    android.Manifest.permission.INTERACT_ACROSS_USERS_FULL,
+                    Binder.getCallingPid(), Binder.getCallingUid(), -1, true)
+                    == PackageManager.PERMISSION_GRANTED) {
+                // Translate to the current user id, if caller wasn't aware
+                if (userId == UserHandle.USER_CURRENT) {
+                    userId = mCurrentUserId;
+                }
+            } else {
+                String msg = "Permission Denial: Request to bindService as user " + userId
+                        + " but is calling from user " + UserHandle.getCallingUserId()
+                        + "; this requires "
+                        + android.Manifest.permission.INTERACT_ACROSS_USERS_FULL;
+                Slog.w(TAG, msg);
+                throw new SecurityException(msg);
+            }
+        }
 
         synchronized(this) {
             return mServices.bindServiceLocked(caller, token, service, resolvedType,