From a2405766db1ef38ed71ba4a84746bd8116e59661 Mon Sep 17 00:00:00 2001
From: Todd Kennedy <toddke@google.com>
Date: Wed, 18 Jul 2018 06:57:33 -0700
Subject: RESTRICT AUTOMERGE Relax security exception for backport

The original backport for this bug threw an exception when the caller
didn't hold the INTERACT_ACROSS_USERS permission; even when it queried
for its own packages.

Now, we simply ignore the request to match any user.

Bug: 77821568
Test: manual
Change-Id: I5716b50a7fb18def20323b872ddef06fa9723b13
---
 .../com/android/server/pm/PackageManagerService.java     | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index ea7d0cc3e4ad..2f4e94823642 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -4475,9 +4475,19 @@ public class PackageManagerService extends IPackageManager.Stub
         if ((flags & PackageManager.MATCH_ANY_USER) != 0) {
             // require the permission to be held; the calling uid and given user id referring
             // to the same user is not sufficient
-            enforceCrossUserPermission(Binder.getCallingUid(), userId, false, false, true,
-                    "MATCH_ANY_USER flag requires INTERACT_ACROSS_USERS permission at "
-                    + Debug.getCallers(5));
+            try {
+                enforceCrossUserPermission(Binder.getCallingUid(), userId, false, false, true,
+                        "MATCH_ANY_USER flag requires INTERACT_ACROSS_USERS permission at "
+                        + Debug.getCallers(5));
+            } catch (SecurityException se) {
+                // For compatibility reasons, we can't throw a security exception here if we're
+                // looking for applications in our own user id. Instead, unset the MATCH_ANY_USER
+                // flag and move on.
+                if (userId != UserHandle.getCallingUserId()) {
+                    throw se;
+                }
+                flags &= ~PackageManager.MATCH_ANY_USER;
+            }
         } else if ((flags & PackageManager.MATCH_UNINSTALLED_PACKAGES) != 0 && isCallerSystemUser
                 && sUserManager.hasManagedProfile(UserHandle.USER_SYSTEM)) {
             // If the caller wants all packages and has a restricted profile associated with it,
-- 
cgit v1.2.3-59-g8ed1b