ActivityManagerService: Allow openContentUri from vendor/system/product.

Apps should not have direct access to this entry point. Check that the caller is a vendor, system, or product package. Test: Ran PoC app and CtsMediaPlayerTestCases. Bug: 236688380 Change-Id: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f Merged-In: I0335496d28fa5fc3bfe1fecd4be90040b0b3687f (cherry picked from commit d0ba7467c2cb2815f94f6651cbb1c2f405e8e9c7)
author: Austin Borger <borgera@google.com> 2023-03-18 12:56:12 -0700
committer: Austin Borger <borgera@google.com> 2023-05-01 19:47:38 +0000
commit: e37820e47c383aecf9d1173a0676c27e6a59ce4f (patch)
tree: 7d0bd78bd7bcffd4d05be8e6ec4bd3ddbe985c4c
parent: 9cbd0b8c2ab01eb8cc4c5051241fe9d654841842 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 28fc19c4a1c6..74b66b7d3a2e 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -6284,7 +6284,7 @@ public class ActivityManagerService extends IActivityManager.Stub
         mActivityTaskManager.unhandledBack();
     }
 
-    // TODO: Move to ContentProviderHelper?
+    // TODO: Replace this method with one that returns a bound IContentProvider.
     public ParcelFileDescriptor openContentUri(String uriString) throws RemoteException {
         enforceNotIsolatedCaller("openContentUri");
         final int userId = UserHandle.getCallingUserId();
@@ -6313,6 +6313,16 @@ public class ActivityManagerService extends IActivityManager.Stub
                     Log.e(TAG, "Cannot find package for uid: " + uid);
                     return null;
                 }
+
+                final ApplicationInfo appInfo = mPackageManagerInt.getApplicationInfo(
+                        androidPackage.getPackageName(), /*flags*/0, Process.SYSTEM_UID,
+                        UserHandle.USER_SYSTEM);
+                if (!appInfo.isVendor() && !appInfo.isSystemApp() && !appInfo.isSystemExt()
+                        && !appInfo.isProduct()) {
+                    Log.e(TAG, "openContentUri may only be used by vendor/system/product.");
+                    return null;
+                }
+
                 final AttributionSource attributionSource = new AttributionSource(
                         Binder.getCallingUid(), androidPackage.getPackageName(), null);
                 pfd = cph.provider.openFile(attributionSource, uri, "r", null);
author	Austin Borger <borgera@google.com>	2023-03-18 12:56:12 -0700
committer	Austin Borger <borgera@google.com>	2023-05-01 19:47:38 +0000
commit	e37820e47c383aecf9d1173a0676c27e6a59ce4f (patch)
tree	7d0bd78bd7bcffd4d05be8e6ec4bd3ddbe985c4c
parent	9cbd0b8c2ab01eb8cc4c5051241fe9d654841842 (diff)