From ca53b27c3407e71b74a7771f2d03ad111e2dcca2 Mon Sep 17 00:00:00 2001 From: Rubin Xu Date: Mon, 6 Feb 2017 17:18:50 +0000 Subject: Fix uri permission grant on remote bug report uri System server is no longer allowed to grant uri permission directly. As a result we use grantUriPermissionFromIntent() to grant permission from the shell UID, who is the owner of the bug report content. Also fix a security bug where the broadcast to notify user consent of remote bug report mismatches the definition, causing it to be sendable by anyone. Bug: 34159108 Test: manual - Install TestDPC and request bugreport, try accept and decline once the report is ready (Bullhead). Merged-In: I66e3f2a16d4547549f09d3c96d52aed2330caedf Change-Id: I66e3f2a16d4547549f09d3c96d52aed2330caedf --- core/java/android/app/admin/DevicePolicyManager.java | 4 ++-- .../android/server/devicepolicy/DevicePolicyManagerService.java | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 78f0c92d22f0..507c1769a461 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -360,7 +360,7 @@ public class DevicePolicyManager { * @hide */ public static final String ACTION_BUGREPORT_SHARING_ACCEPTED = - "com.android.server.action.BUGREPORT_SHARING_ACCEPTED"; + "com.android.server.action.REMOTE_BUGREPORT_SHARING_ACCEPTED"; /** * Action: Bugreport sharing with device owner has been declined by the user. @@ -368,7 +368,7 @@ public class DevicePolicyManager { * @hide */ public static final String ACTION_BUGREPORT_SHARING_DECLINED = - "com.android.server.action.BUGREPORT_SHARING_DECLINED"; + "com.android.server.action.REMOTE_BUGREPORT_SHARING_DECLINED"; /** * Action: Bugreport has been collected and is dispatched to {@link DevicePolicyManagerService}. diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 24f26714e621..8dd74c319615 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -36,6 +36,7 @@ import android.annotation.Nullable; import android.annotation.UserIdInt; import android.app.Activity; import android.app.ActivityManager; +import android.app.ActivityManagerInternal; import android.app.ActivityManagerNative; import android.app.AlarmManager; import android.app.AppGlobals; @@ -5516,8 +5517,12 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { intent.setComponent(mOwners.getDeviceOwnerComponent()); intent.setDataAndType(bugreportUri, RemoteBugreportUtils.BUGREPORT_MIMETYPE); intent.putExtra(DeviceAdminReceiver.EXTRA_BUGREPORT_HASH, bugreportHash); - mContext.grantUriPermission(mOwners.getDeviceOwnerComponent().getPackageName(), - bugreportUri, Intent.FLAG_GRANT_READ_URI_PERMISSION); + intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); + + LocalServices.getService(ActivityManagerInternal.class) + .grantUriPermissionFromIntent(Process.SHELL_UID, + mOwners.getDeviceOwnerComponent().getPackageName(), + intent, mOwners.getDeviceOwnerUserId()); mContext.sendBroadcastAsUser(intent, UserHandle.of(mOwners.getDeviceOwnerUserId())); } } catch (FileNotFoundException e) { -- cgit v1.2.3-59-g8ed1b