DO NOT MERGE Add permission checks before delivery

PendingIntent.send() only checks permissions for broadcast intents, and not for activity/service intents. In order to ensure permissions are checked for all types of intents, we need to add permission checks earlier in the process. Bug: 161456367 Test: presubmits + manual Change-Id: Ib56a382f4a2a8d25aa23a8230e0b82edf024a6fd
author: Soonil Nagarkar <sooniln@google.com> 2020-07-16 13:07:08 -0700
committer: Soonil Nagarkar <sooniln@google.com> 2020-07-21 16:59:42 +0000
commit: ca643c5c337a910559e5c1d25cb3f692bdd272ff (patch)
tree: 9b3b977d6b84f654c987c2460f31dc713802d9ee
parent: ccb263c9cb405834e0867d32d8a3beb71f615e98 (diff)
1 files changed, 30 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/location/AppOpsHelper.java b/services/core/java/com/android/server/location/AppOpsHelper.java
index c598fb1dbe26..d0192cdb93d3 100644
--- a/services/core/java/com/android/server/location/AppOpsHelper.java
+++ b/services/core/java/com/android/server/location/AppOpsHelper.java
@@ -18,7 +18,9 @@ package com.android.server.location;
 
 import static android.app.AppOpsManager.OP_MONITOR_HIGH_POWER_LOCATION;
 import static android.app.AppOpsManager.OP_MONITOR_LOCATION;
+import static android.content.pm.PackageManager.PERMISSION_GRANTED;
 
+import static com.android.server.location.CallerIdentity.PERMISSION_NONE;
 import static com.android.server.location.LocationManagerService.D;
 import static com.android.server.location.LocationManagerService.TAG;
 
@@ -122,8 +124,18 @@ public class AppOpsHelper {
             Preconditions.checkState(mAppOps != null);
         }
 
+        if (callerIdentity.permissionLevel == PERMISSION_NONE) {
+            return false;
+        }
+
         long identity = Binder.clearCallingIdentity();
         try {
+            if (mContext.checkPermission(
+                    CallerIdentity.asPermission(callerIdentity.permissionLevel), callerIdentity.pid,
+                    callerIdentity.uid) != PERMISSION_GRANTED) {
+                return false;
+            }
+
             return mAppOps.checkOpNoThrow(
                     CallerIdentity.asAppOp(callerIdentity.permissionLevel),
                     callerIdentity.uid,
@@ -138,8 +150,24 @@ public class AppOpsHelper {
      * called right before a location is delivered, and if it returns false, the location should not
      * be delivered.
      */
-    public boolean noteLocationAccess(CallerIdentity identity) {
-        return noteOpNoThrow(CallerIdentity.asAppOp(identity.permissionLevel), identity);
+    public boolean noteLocationAccess(CallerIdentity callerIdentity) {
+        if (callerIdentity.permissionLevel == PERMISSION_NONE) {
+            return false;
+        }
+
+        long identity = Binder.clearCallingIdentity();
+        try {
+            if (mContext.checkPermission(
+                    CallerIdentity.asPermission(callerIdentity.permissionLevel), callerIdentity.pid,
+                    callerIdentity.uid) != PERMISSION_GRANTED) {
+                return false;
+            }
+        } finally {
+            Binder.restoreCallingIdentity(identity);
+        }
+
+        return noteOpNoThrow(CallerIdentity.asAppOp(callerIdentity.permissionLevel),
+                callerIdentity);
     }
 
     /**
author	Soonil Nagarkar <sooniln@google.com>	2020-07-16 13:07:08 -0700
committer	Soonil Nagarkar <sooniln@google.com>	2020-07-21 16:59:42 +0000
commit	ca643c5c337a910559e5c1d25cb3f692bdd272ff (patch)
tree	9b3b977d6b84f654c987c2460f31dc713802d9ee
parent	ccb263c9cb405834e0867d32d8a3beb71f615e98 (diff)