summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Jeff Sharkey <jsharkey@android.com> 2016-11-21 10:33:54 -0700
committer Jeff Sharkey <jsharkey@google.com> 2017-02-02 07:12:41 +0000
commit6f13f73b7332a86adb61dd23a725d36e5a9537d9 (patch)
tree4c3c4f2a56e836841b9954c551f14963fabcbef5
parent63a27d773b201fc56fdf2b13934ff499c391ca5f (diff)
DO NOT MERGE. No direct Uri grants from system.
The system should never be extending Uri permission grants from itself, since it automatically holds all the permissions. Instead, the system should always be a mediator between two specific app, and it should be using startActivityAsCaller() if it needs to extend permissions. Blocking at this level fixes an entire class of confused deputy security issues. Test: builds, normal intent resolution UI works Bug: 33019296, 32990341, 32879915, 32879772 Change-Id: Iaa57c393a386d8068e807d0dd0caccc89d8a11db
Diffstat
-rwxr-xr-xservices/core/java/com/android/server/am/ActivityManagerService.java7
1 files changed, 6 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 5805fb356b83..6bb1ebfae5e3 100755
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -7239,7 +7239,12 @@ public final class ActivityManagerService extends ActivityManagerNative
// Third... does the caller itself have permission to access
// this uri?
- if (UserHandle.getAppId(callingUid) != Process.SYSTEM_UID) {
+ final int callingAppId = UserHandle.getAppId(callingUid);
+ if ((callingAppId == Process.SYSTEM_UID) || (callingAppId == Process.ROOT_UID)) {
+ Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission"
+ + " grant to " + grantUri + "; use startActivityAsCaller() instead");
+ return -1;
+ } else {
if (!checkHoldingPermissionsLocked(pm, pi, grantUri, callingUid, modeFlags)) {
// Require they hold a strong enough Uri permission
if (!checkUriPermissionLocked(grantUri, callingUid, modeFlags)) {
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-11-02 21:45:06 +0000