Merge "Enforce ComponentName belongs to caller app" into tm-dev am: 483a3cab86

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/19641683 Change-Id: I4b959dc99b12c8b9214d34cb50fa6f1767414e50 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Iván Budnik <ivanbuper@google.com> 2022-08-19 09:51:44 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-08-19 09:51:44 +0000
commit: d3b7b975c07ba21bb5288b4298263790f6722e7c (patch)
tree: b483e125930706cba115c3690aac77e9f262cce8
parent: bd1734462acd7f13a79265c4d1a24ea1f357eb2e (diff)
parent: 483a3cab86122d937e7dbd62106ccbf2e55d007b (diff)
2 files changed, 26 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java b/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
index 9a190316f4eb..6759d79eedca 100644
--- a/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
+++ b/services/core/java/com/android/server/media/MediaButtonReceiverHolder.java
@@ -32,6 +32,7 @@ import android.os.Handler;
 import android.os.PowerWhitelistManager;
 import android.os.UserHandle;
 import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.view.KeyEvent;
 
@@ -117,6 +118,12 @@ final class MediaButtonReceiverHolder {
         int componentType = getComponentType(pendingIntent);
         ComponentName componentName = getComponentName(pendingIntent, componentType);
         if (componentName != null) {
+            if (!TextUtils.equals(componentName.getPackageName(), sessionPackageName)) {
+                EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                throw new IllegalArgumentException("ComponentName does not belong to "
+                        + "sessionPackageName. sessionPackageName = " + sessionPackageName
+                        + ", ComponentName pkg = " + componentName.getPackageName());
+            }
             return new MediaButtonReceiverHolder(userId, pendingIntent, componentName,
                     componentType);
         }
diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index 604e8f3949f4..b8131a8ee5b5 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java
@@ -52,6 +52,8 @@ import android.os.Process;
 import android.os.RemoteException;
 import android.os.ResultReceiver;
 import android.os.SystemClock;
+import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.view.KeyEvent;
 
@@ -938,6 +940,14 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR
         @Override
         public void setMediaButtonReceiver(PendingIntent pi, String sessionPackageName)
                 throws RemoteException {
+            //mPackageName has been verified in MediaSessionService.enforcePackageName().
+            if (!TextUtils.equals(sessionPackageName, mPackageName)) {
+                EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                throw new IllegalArgumentException("sessionPackageName name does not match "
+                        + "package name provided to MediaSessionRecord. sessionPackageName = "
+                        + sessionPackageName + ", pkg = "
+                        + mPackageName);
+            }
             final long token = Binder.clearCallingIdentity();
             try {
                 if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
@@ -956,6 +966,15 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR
         public void setMediaButtonBroadcastReceiver(ComponentName receiver) throws RemoteException {
             final long token = Binder.clearCallingIdentity();
             try {
+                //mPackageName has been verified in MediaSessionService.enforcePackageName().
+                if (receiver != null && !TextUtils.equals(
+                        mPackageName, receiver.getPackageName())) {
+                    EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                    throw new IllegalArgumentException("receiver does not belong to "
+                            + "package name provided to MediaSessionRecord. Pkg = " + mPackageName
+                            + ", Receiver Pkg = " + receiver.getPackageName());
+                }
+
                 if ((mPolicies & MediaSessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
                         != 0) {
                     return;
author	Iván Budnik <ivanbuper@google.com>	2022-08-19 09:51:44 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-08-19 09:51:44 +0000
commit	d3b7b975c07ba21bb5288b4298263790f6722e7c (patch)
tree	b483e125930706cba115c3690aac77e9f262cce8
parent	bd1734462acd7f13a79265c4d1a24ea1f357eb2e (diff)
parent	483a3cab86122d937e7dbd62106ccbf2e55d007b (diff)