Add permission checks for Verification API calls

Ensure that only applications with
android.Manifest.permission.PACKAGE_VERIFICATION_AGENT can call application
verification APIs, like PackageManager.verifyPendingInstall and
PackageManager.extendVerificationTimeout

Bug: 7049083
Change-Id: I5fc28b37e864d67cd319a1ed9d03a90dd15ad052

1 files changed, 8 insertions, 0 deletions

diff --git a/services/java/com/android/server/pm/PackageManagerService.java b/services/java/com/android/server/pm/PackageManagerService.java
index b84e25a6b26d..74b02bc7648e 100644
--- a/services/java/com/android/server/pm/PackageManagerService.java
+++ b/services/java/com/android/server/pm/PackageManagerService.java
@@ -5531,6 +5531,10 @@ public class PackageManagerService extends IPackageManager.Stub {
     
     @Override
     public void verifyPendingInstall(int id, int verificationCode) throws RemoteException {
+        mContext.enforceCallingOrSelfPermission(
+                android.Manifest.permission.PACKAGE_VERIFICATION_AGENT,
+                "Only package verification agents can verify applications");
+
         final Message msg = mHandler.obtainMessage(PACKAGE_VERIFIED);
         final PackageVerificationResponse response = new PackageVerificationResponse(
                 verificationCode, Binder.getCallingUid());
@@ -5542,6 +5546,10 @@ public class PackageManagerService extends IPackageManager.Stub {
     @Override
     public void extendVerificationTimeout(int id, int verificationCodeAtTimeout,
             long millisecondsToDelay) {
+        mContext.enforceCallingOrSelfPermission(
+                android.Manifest.permission.PACKAGE_VERIFICATION_AGENT,
+                "Only package verification agents can extend verification timeouts");
+
         final PackageVerificationState state = mPendingVerification.get(id);
         final PackageVerificationResponse response = new PackageVerificationResponse(
                 verificationCodeAtTimeout, Binder.getCallingUid());