From 76db1db57e911ed3651e75815fcb66723d6677ae Mon Sep 17 00:00:00 2001 From: Songchun Fan Date: Wed, 26 Oct 2022 17:03:33 -0700 Subject: [SettingsProvider] workaround for DevicePolicyResourcesManager DevicePolicyResourcesManager.getString() was added in T and called in many places inside system server. However, it uses DeviceConfig.getBoolean to determine if a feature is enabled or not. In the places where it is called from inside system server, `clearCallingIdentity` was not always called, which can result in DeviceConfig.getBoolean throwing SecurityException due to mismatched AttributionSource (calling uid is the caller from the binder client, while the context is "android" which should have calling uid 0). Context is "android" because it is inside the system server where the DevicePolicyManager instance is created. This bug might lead to unexpected behavior such as packages failing to be uninstalled by admin. The easiest fix is to place a bypass in SettingsProvider and manually clear the calling uid there. This fix also allows for the cleanest backporting as it can be cherry-picked into T without touching all the places where DevicePolicyResourcesManager.getString() is called in the system server. BUG: 252663068 Test: manual Merged-In: I37a6ceb29575593018b93093562c85d49770a43c Change-Id: I37a6ceb29575593018b93093562c85d49770a43c (cherry picked from commit b127850fda23698be0247e5b2110cdd01fff8fd7) --- core/java/android/provider/Settings.java | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/core/java/android/provider/Settings.java b/core/java/android/provider/Settings.java index 805fdc44b256..96cc1f892551 100644 --- a/core/java/android/provider/Settings.java +++ b/core/java/android/provider/Settings.java @@ -3344,9 +3344,26 @@ public final class Settings { } } - // Fetch all flags for the namespace at once for caching purposes - Bundle b = cp.call(cr.getAttributionSource(), - mProviderHolder.mUri.getAuthority(), mCallListCommand, null, args); + Bundle b; + // b/252663068: if we're in system server and the caller did not call + // clearCallingIdentity, the read would fail due to mismatched AttributionSources. + // TODO(b/256013480): remove this bypass after fixing the callers in system server. + if (namespace.equals(DeviceConfig.NAMESPACE_DEVICE_POLICY_MANAGER) + && Settings.isInSystemServer() + && Binder.getCallingUid() != Process.myUid()) { + final long token = Binder.clearCallingIdentity(); + try { + // Fetch all flags for the namespace at once for caching purposes + b = cp.call(cr.getAttributionSource(), + mProviderHolder.mUri.getAuthority(), mCallListCommand, null, args); + } finally { + Binder.restoreCallingIdentity(token); + } + } else { + // Fetch all flags for the namespace at once for caching purposes + b = cp.call(cr.getAttributionSource(), + mProviderHolder.mUri.getAuthority(), mCallListCommand, null, args); + } if (b == null) { // Invalid response, return an empty map return keyValues; -- cgit v1.2.3-59-g8ed1b