From 75e03a9596eaa036421cc405f9f475ba3381ba64 Mon Sep 17 00:00:00 2001
From: Jackal Guo <jackalguo@google.com>
Date: Wed, 20 Jan 2021 15:33:26 +0800
Subject: Apply package visibility to cached ServiceRecord

Once the service resolve in retrieveServiceLocked is done, ActiveService
would store the ServiceRecord in a ServiceMap to save additional query
next time. However, the package visibility check isn't applied when the
ServiceRecord is retrieved from the ServiceMap. Hence, apps may bypass
the package visibility check and bind the target service successfully.

Bug: 177790677
Test: atest AppsFilterTest
Test: atest AppEnumerationTests
Change-Id: If362627fc6b02120a30ed10080d0d61b3ddbb98b
---
 .../java/com/android/server/am/ActiveServices.java | 24 ++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
index 02613cfe0771..30fb772ded72 100644
--- a/services/core/java/com/android/server/am/ActiveServices.java
+++ b/services/core/java/com/android/server/am/ActiveServices.java
@@ -2815,12 +2815,24 @@ public final class ActiveServices {
             r = smap.mServicesByIntent.get(filter);
             if (DEBUG_SERVICE && r != null) Slog.v(TAG_SERVICE, "Retrieved by intent: " + r);
         }
-        if (r != null && (r.serviceInfo.flags & ServiceInfo.FLAG_EXTERNAL_SERVICE) != 0
-                && !callingPackage.equals(r.packageName)) {
-            // If an external service is running within its own package, other packages
-            // should not bind to that instance.
-            r = null;
-            if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Whoops, can't use existing external service");
+        if (r != null) {
+            // Compared to resolveService below, the ServiceRecord here is retrieved from
+            // ServiceMap so the package visibility doesn't apply to it. We need to filter it.
+            if (mAm.getPackageManagerInternal().filterAppAccess(r.packageName, callingUid,
+                    userId)) {
+                Slog.w(TAG_SERVICE, "Unable to start service " + service + " U=" + userId
+                        + ": not found");
+                return null;
+            }
+            if ((r.serviceInfo.flags & ServiceInfo.FLAG_EXTERNAL_SERVICE) != 0
+                    && !callingPackage.equals(r.packageName)) {
+                // If an external service is running within its own package, other packages
+                // should not bind to that instance.
+                r = null;
+                if (DEBUG_SERVICE) {
+                    Slog.v(TAG_SERVICE, "Whoops, can't use existing external service");
+                }
+            }
         }
         if (r == null) {
             try {
-- 
cgit v1.2.3-59-g8ed1b