Fix incorrect use of UserHandle#getUserHandleForUid(int uid)

Two issues were mixed here. issue 1) User ID was used when UID was necessary. issue 2) Caller UID was used when checking target UID. Note that this bug would affect multi-user environment. Bug: 162548695 Test: Build and run CTS Change-Id: I83909b4a6c82af805a26848fe4a0189c579ddf0d
author: Jaewan Kim <jaewan@google.com> 2020-08-05 10:59:10 +0900
committer: Jaewan Kim <jaewan@google.com> 2020-08-11 14:01:04 +0900
commit: c8fc993b4260fbd10bfa9e3d12c4616ac0d5c6c9 (patch)
tree: d3c5c68f5ee8a2335c82a0aad96d518990c58058
parent: 7f2044ea80cb092dabebe27d1f6d967469e81840 (diff)
1 files changed, 12 insertions, 11 deletions
diff --git a/services/core/java/com/android/server/media/MediaSessionService.java b/services/core/java/com/android/server/media/MediaSessionService.java
index e2f70e320cb8..eb4ab1ceac28 100644
--- a/services/core/java/com/android/server/media/MediaSessionService.java
+++ b/services/core/java/com/android/server/media/MediaSessionService.java
@@ -1937,7 +1937,8 @@ public class MediaSessionService extends SystemService implements Monitor {
                 // Context#getPackageName() for getting package name that matches with the PID/UID,
                 // but it doesn't tell which package has created the MediaController, so useless.
                 return hasMediaControlPermission(controllerPid, controllerUid)
-                        || hasEnabledNotificationListener(userId, controllerPackageName, uid);
+                        || hasEnabledNotificationListener(
+                                userId, controllerPackageName, controllerUid);
             } finally {
                 Binder.restoreCallingIdentity(token);
             }
@@ -2001,21 +2002,21 @@ public class MediaSessionService extends SystemService implements Monitor {
             return resolvedUserId;
         }
 
-        private boolean hasEnabledNotificationListener(int resolvedUserId, String packageName,
-                int uid) {
-            // TODO: revisit this checking code
-            // You may not access another user's content as an enabled listener.
-            final int userId = UserHandle.getUserHandleForUid(resolvedUserId).getIdentifier();
-            if (resolvedUserId != userId) {
+        private boolean hasEnabledNotificationListener(int callingUserId,
+                String controllerPackageName, int controllerUid) {
+            int controllerUserId = UserHandle.getUserHandleForUid(controllerUid).getIdentifier();
+            if (callingUserId != controllerUserId) {
+                // Enabled notification listener only works within the same user.
                 return false;
             }
-            if (mNotificationManager.hasEnabledNotificationListener(packageName,
-                    UserHandle.getUserHandleForUid(uid))) {
+
+            if (mNotificationManager.hasEnabledNotificationListener(controllerPackageName,
+                    UserHandle.getUserHandleForUid(controllerUid))) {
                 return true;
             }
             if (DEBUG) {
-                Log.d(TAG, packageName + " (uid=" + uid + ") doesn't have an enabled "
-                        + "notification listener");
+                Log.d(TAG, controllerPackageName + " (uid=" + controllerUid
+                        + ") doesn't have an enabled notification listener");
             }
             return false;
         }
author	Jaewan Kim <jaewan@google.com>	2020-08-05 10:59:10 +0900
committer	Jaewan Kim <jaewan@google.com>	2020-08-11 14:01:04 +0900
commit	c8fc993b4260fbd10bfa9e3d12c4616ac0d5c6c9 (patch)
tree	d3c5c68f5ee8a2335c82a0aad96d518990c58058
parent	7f2044ea80cb092dabebe27d1f6d967469e81840 (diff)