diff options
5 files changed, 64 insertions, 16 deletions
diff --git a/services/core/java/android/content/pm/PackageManagerInternal.java b/services/core/java/android/content/pm/PackageManagerInternal.java index f7ddd2922b25..95186ee444e4 100644 --- a/services/core/java/android/content/pm/PackageManagerInternal.java +++ b/services/core/java/android/content/pm/PackageManagerInternal.java @@ -566,6 +566,12 @@ public abstract class PackageManagerInternal implements PackageSettingsSnapshotP public abstract ProviderInfo resolveContentProvider(String name, int flags, int userId); /** + * Resolves a content provider intent. + */ + public abstract ProviderInfo resolveContentProvider(String name, int flags, int userId, + int callingUid); + + /** * Track the creator of a new isolated uid. * @param isolatedUid The newly created isolated uid. * @param ownerUid The uid of the app that created the isolated process. diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 889785d5f766..64af266231cf 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -11608,9 +11608,17 @@ public class PackageManagerService extends IPackageManager.Stub return resolveContentProviderInternal(name, flags, userId); } + public ProviderInfo resolveContentProvider(String name, int flags, int userId, int callingUid) { + return resolveContentProviderInternal(name, flags, userId, callingUid); + } + private ProviderInfo resolveContentProviderInternal(String name, int flags, int userId) { + return resolveContentProviderInternal(name, flags, userId, Binder.getCallingUid()); + } + + private ProviderInfo resolveContentProviderInternal(String name, int flags, int userId, + int callingUid) { if (!mUserManager.exists(userId)) return null; - final int callingUid = Binder.getCallingUid(); flags = updateFlagsForComponent(flags, userId); final ProviderInfo providerInfo = mComponentResolver.queryProvider(name, flags, userId); boolean checkedGrants = false; @@ -27754,6 +27762,13 @@ public class PackageManagerService extends IPackageManager.Stub } @Override + public ProviderInfo resolveContentProvider(String name, int flags, int userId, + int callingUid) { + return PackageManagerService.this.resolveContentProviderInternal( + name, flags, userId, callingUid); + } + + @Override public void addIsolatedUid(int isolatedUid, int ownerUid) { synchronized (mLock) { mIsolatedOwners.put(isolatedUid, ownerUid); diff --git a/services/core/java/com/android/server/uri/UriGrantsManagerService.java b/services/core/java/com/android/server/uri/UriGrantsManagerService.java index 44545ed4898a..4e453f378cbc 100644 --- a/services/core/java/com/android/server/uri/UriGrantsManagerService.java +++ b/services/core/java/com/android/server/uri/UriGrantsManagerService.java @@ -1061,6 +1061,12 @@ public class UriGrantsManagerService extends IUriGrantsManager.Stub { PackageManager.GET_URI_PERMISSION_PATTERNS | pmFlags, userHandle); } + private ProviderInfo getProviderInfo(String authority, int userHandle, int pmFlags, + int callingUid) { + return mPmInternal.resolveContentProvider(authority, + PackageManager.GET_URI_PERMISSION_PATTERNS | pmFlags, userHandle, callingUid); + } + /** * Check if the targetPkg can be granted permission to access uri by * the callingUid using the given modeFlags. Throws a security exception @@ -1106,7 +1112,7 @@ public class UriGrantsManagerService extends IUriGrantsManager.Stub { final String authority = grantUri.uri.getAuthority(); final ProviderInfo pi = getProviderInfo(authority, grantUri.sourceUserId, - MATCH_DEBUG_TRIAGED_MISSING); + MATCH_DEBUG_TRIAGED_MISSING, callingUid); if (pi == null) { Slog.w(TAG, "No content provider found for permission check: " + grantUri.uri.toSafeString()); diff --git a/services/tests/servicestests/src/com/android/server/uri/UriGrantsManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/uri/UriGrantsManagerServiceTest.java index 614949c91b9a..69f006568c8e 100644 --- a/services/tests/servicestests/src/com/android/server/uri/UriGrantsManagerServiceTest.java +++ b/services/tests/servicestests/src/com/android/server/uri/UriGrantsManagerServiceTest.java @@ -292,23 +292,29 @@ public class UriGrantsManagerServiceTest { intent.setClipData(clip); { - // When granting towards primary, persistable can't be honored so - // the entire grant fails - try { - mService.checkGrantUriPermissionFromIntent( - intent, UID_PRIMARY_CAMERA, PKG_SOCIAL, USER_PRIMARY); - fail(); - } catch (SecurityException expected) { + // The camera package shouldn't be able to see other packages or their providers, + // so make sure the grant only succeeds for the camera's URIs. + final NeededUriGrants nug = mService.checkGrantUriPermissionFromIntent( + intent, UID_PRIMARY_CAMERA, PKG_SOCIAL, USER_PRIMARY); + if (nug != null && nug.uris != null) { + for (GrantUri gu : nug.uris) { + if (!gu.uri.getAuthority().equals(PKG_CAMERA)) { + fail(); + } + } } } { - // When granting towards secondary, persistable can't be honored so - // the entire grant fails - try { - mService.checkGrantUriPermissionFromIntent( - intent, UID_PRIMARY_CAMERA, PKG_SOCIAL, USER_SECONDARY); - fail(); - } catch (SecurityException expected) { + // The camera package shouldn't be able to see other packages or their providers, + // so make sure the grant only succeeds for the camera's URIs. + final NeededUriGrants nug = mService.checkGrantUriPermissionFromIntent( + intent, UID_PRIMARY_CAMERA, PKG_SOCIAL, USER_SECONDARY); + if (nug != null && nug.uris != null) { + for (GrantUri gu : nug.uris) { + if (!gu.uri.getAuthority().equals(PKG_CAMERA)) { + fail(); + } + } } } } diff --git a/services/tests/servicestests/src/com/android/server/uri/UriGrantsMockContext.java b/services/tests/servicestests/src/com/android/server/uri/UriGrantsMockContext.java index 2c719ff9e8b3..a6307b38f6a5 100644 --- a/services/tests/servicestests/src/com/android/server/uri/UriGrantsMockContext.java +++ b/services/tests/servicestests/src/com/android/server/uri/UriGrantsMockContext.java @@ -135,14 +135,29 @@ public class UriGrantsMockContext extends ContextWrapper { when(mPmInternal.resolveContentProvider(eq(PKG_CAMERA), anyInt(), eq(userId))) .thenReturn(buildCameraProvider(userId)); + when(mPmInternal.resolveContentProvider(eq(PKG_CAMERA), anyInt(), eq(userId), + eq(UserHandle.getUid(userId, UID_CAMERA)))) + .thenReturn(buildCameraProvider(userId)); when(mPmInternal.resolveContentProvider(eq(PKG_PRIVATE), anyInt(), eq(userId))) .thenReturn(buildPrivateProvider(userId)); + when(mPmInternal.resolveContentProvider(eq(PKG_PRIVATE), anyInt(), eq(userId), + eq(UserHandle.getUid(userId, UID_PRIVATE)))) + .thenReturn(buildPrivateProvider(userId)); when(mPmInternal.resolveContentProvider(eq(PKG_PUBLIC), anyInt(), eq(userId))) .thenReturn(buildPublicProvider(userId)); + when(mPmInternal.resolveContentProvider(eq(PKG_PUBLIC), anyInt(), eq(userId), + eq(UserHandle.getUid(userId, UID_PUBLIC)))) + .thenReturn(buildPublicProvider(userId)); when(mPmInternal.resolveContentProvider(eq(PKG_FORCE), anyInt(), eq(userId))) .thenReturn(buildForceProvider(userId)); + when(mPmInternal.resolveContentProvider(eq(PKG_FORCE), anyInt(), eq(userId), + eq(UserHandle.getUid(userId, UID_FORCE)))) + .thenReturn(buildForceProvider(userId)); when(mPmInternal.resolveContentProvider(eq(PKG_COMPLEX), anyInt(), eq(userId))) .thenReturn(buildComplexProvider(userId)); + when(mPmInternal.resolveContentProvider(eq(PKG_COMPLEX), anyInt(), eq(userId), + eq(UserHandle.getUid(userId, UID_COMPLEX)))) + .thenReturn(buildComplexProvider(userId)); } } |