diff options
| author | 2021-03-02 15:27:51 +0000 | |
|---|---|---|
| committer | 2022-03-22 12:28:36 +0000 | |
| commit | a4131c50d07c7b58c496bd82b9ab3389b6721654 (patch) | |
| tree | 5fa5252299734b548c3e7c129ea73d257543b023 /libs/androidfw/StringPool.cpp | |
| parent | b7f5e21e80b5cba62d9b4c96d036fb5ca6b37be6 (diff) | |
Secure REMOTE_BUGREPORT_DISPATCH
In remote bugreport collection, Shell sends REMOTE_BUGREPORT_DISPATCH to
DevicePolicyManagerService which in turn notifies Device Owners that a
bug report is ready for collection. There existed a threat where a
malicous user could spoof the REMOTE_BUGREPORT_DISPATCH broadcast via
ADB to send a crafted bugreport to the Device Owner. Securing
REMOTE_BUGREPORT_DISPATCH is not as easy as it appears: putting a
permission on REMOTE_BUGREPORT_DISPATCH does not work since both the
legitimate sender and the malicious user are UID_SHELL. Instead, we
introduces a nonce which was sent from DPMS to Shell when bugreport is
triggered, and DPM will only accept REMOTE_BUGREPORT_DISPATCH when
a matching nonce is seen.
Ignore-AOSP-First: security fix
Bug: 171495100
Test: atest DeviceOwnerTest#testRemoteBugreportWithTwoUsers
Test: atest DeviceOwnerTest#testAdminActionBookkeeping
Test: atest BugreportManagerTest
Change-Id: I7649b4f22b74647d152d76bb46d5ca70bfa3617d
Diffstat (limited to 'libs/androidfw/StringPool.cpp')
0 files changed, 0 insertions, 0 deletions