Make AppOpsService verification error less informative

Unless the hardcoded AppOpsService DEBUG flag is set to true, do not
include the resolved UID of a package in the verifyAndGetBypass
exception message, as this potentially leaks data to third party apps
that manage to bind to AppOpsService.

Bug: 184474751
Test: manual
Change-Id: Ifdcf2cce3e8f939ca9f206a4bf8ac0238000f4c0

1 files changed, 4 insertions, 2 deletions

diff --git a/services/core/java/com/android/server/appop/AppOpsService.java b/services/core/java/com/android/server/appop/AppOpsService.java
index 3f075724662f..0c99b56c1f0d 100644
--- a/services/core/java/com/android/server/appop/AppOpsService.java
+++ b/services/core/java/com/android/server/appop/AppOpsService.java
@@ -4191,8 +4191,9 @@ public class AppOpsService extends IAppOpsService.Stub {
             // Special case for the shell which is a package but should be able
             // to bypass app attribution tag restrictions.
             if (pkgUid != UserHandle.getAppId(uid)) {
+                String otherUidMessage = DEBUG ? " but it is really " + pkgUid : " but it is not";
                 throw new SecurityException("Specified package " + packageName + " under uid "
-                        +  UserHandle.getAppId(uid) + " but it is really " + pkgUid);
+                        +  UserHandle.getAppId(uid) + otherUidMessage);
             }
             return RestrictionBypass.UNRESTRICTED;
         }
@@ -4240,8 +4241,9 @@ public class AppOpsService extends IAppOpsService.Stub {
         }
 
         if (pkgUid != uid) {
+            String otherUidMessage = DEBUG ? " but it is really " + pkgUid : " but it is not";
             throw new SecurityException("Specified package " + packageName + " under uid " + uid
-                    + " but it is really " + pkgUid);
+                    + otherUidMessage);
         }
 
         return bypass;