Merge "Make sure that only the owner can call [stop|start]VpnProfile()" into sc-dev

author: Lucas Lin <lucaslin@google.com> 2021-08-10 02:28:24 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2021-08-10 02:28:24 +0000
commit: 8d26ea92b4a81e347ff6eb3934168416955b595e (patch)
tree: 52e79923e816362d4d372bddc1a4ae85b7c5638b
parent: b8a3a61c6f1588b37addb36dd63fe71805980637 (diff)
parent: 591e345fbc0ccb6815e27ccff1a0ae9d02002a90 (diff)
1 files changed, 28 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/VpnManagerService.java b/services/core/java/com/android/server/VpnManagerService.java
index d483f1863258..a03425c0bb75 100644
--- a/services/core/java/com/android/server/VpnManagerService.java
+++ b/services/core/java/com/android/server/VpnManagerService.java
@@ -26,6 +26,8 @@ import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
+import android.content.pm.PackageManager;
+import android.content.pm.PackageManager.NameNotFoundException;
 import android.net.ConnectivityManager;
 import android.net.INetd;
 import android.net.IVpnManager;
@@ -312,6 +314,26 @@ public class VpnManagerService extends IVpnManager.Stub {
         }
     }
 
+    // TODO : Move to a static lib to factorize with Vpn.java
+    private int getAppUid(final String app, final int userId) {
+        final PackageManager pm = mContext.getPackageManager();
+        final long token = Binder.clearCallingIdentity();
+        try {
+            return pm.getPackageUidAsUser(app, userId);
+        } catch (NameNotFoundException e) {
+            return -1;
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
+    }
+
+    private void verifyCallingUidAndPackage(String packageName, int callingUid) {
+        final int userId = UserHandle.getUserId(callingUid);
+        if (getAppUid(packageName, userId) != callingUid) {
+            throw new SecurityException(packageName + " does not belong to uid " + callingUid);
+        }
+    }
+
     /**
      * Starts the VPN based on the stored profile for the given package
      *
@@ -323,7 +345,9 @@ public class VpnManagerService extends IVpnManager.Stub {
      */
     @Override
     public void startVpnProfile(@NonNull String packageName) {
-        final int user = UserHandle.getUserId(mDeps.getCallingUid());
+        final int callingUid = Binder.getCallingUid();
+        verifyCallingUidAndPackage(packageName, callingUid);
+        final int user = UserHandle.getUserId(callingUid);
         synchronized (mVpns) {
             throwIfLockdownEnabled();
             mVpns.get(user).startVpnProfile(packageName);
@@ -340,7 +364,9 @@ public class VpnManagerService extends IVpnManager.Stub {
      */
     @Override
     public void stopVpnProfile(@NonNull String packageName) {
-        final int user = UserHandle.getUserId(mDeps.getCallingUid());
+        final int callingUid = Binder.getCallingUid();
+        verifyCallingUidAndPackage(packageName, callingUid);
+        final int user = UserHandle.getUserId(callingUid);
         synchronized (mVpns) {
             mVpns.get(user).stopVpnProfile(packageName);
         }
author	Lucas Lin <lucaslin@google.com>	2021-08-10 02:28:24 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2021-08-10 02:28:24 +0000
commit	8d26ea92b4a81e347ff6eb3934168416955b595e (patch)
tree	52e79923e816362d4d372bddc1a4ae85b7c5638b
parent	b8a3a61c6f1588b37addb36dd63fe71805980637 (diff)
parent	591e345fbc0ccb6815e27ccff1a0ae9d02002a90 (diff)