From eef20391ce4d15d4508dc295cb338954a7c69de7 Mon Sep 17 00:00:00 2001
From: Hui Yu <huiyu@google.com>
Date: Sat, 7 May 2022 21:43:23 -0700
Subject: Make sure callingPackage belongs to callingUid when checking BG-FGS
 restrictions.

This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.

Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java#testSpoofPackageName
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
---
 .../java/com/android/server/am/ActiveServices.java | 31 +++++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
index a2fec2753340..49bfd4dcfd38 100644
--- a/services/core/java/com/android/server/am/ActiveServices.java
+++ b/services/core/java/com/android/server/am/ActiveServices.java
@@ -5992,10 +5992,16 @@ public final class ActiveServices {
         }
 
         if (ret == REASON_DENIED) {
-            final boolean isAllowedPackage =
-                    mAllowListWhileInUsePermissionInFgs.contains(callingPackage);
-            if (isAllowedPackage) {
-                ret = REASON_ALLOWLISTED_PACKAGE;
+            if (verifyPackage(callingPackage, callingUid)) {
+                final boolean isAllowedPackage =
+                        mAllowListWhileInUsePermissionInFgs.contains(callingPackage);
+                if (isAllowedPackage) {
+                    ret = REASON_ALLOWLISTED_PACKAGE;
+                }
+            } else {
+                EventLog.writeEvent(0x534e4554, "215003903", callingUid,
+                        "callingPackage:" + callingPackage + " does not belong to callingUid:"
+                                + callingUid);
             }
         }
 
@@ -6378,4 +6384,21 @@ public final class ActiveServices {
                 /* allowBackgroundActivityStarts */ false)
                 != REASON_DENIED;
     }
+
+    /**
+     * Checks if a given packageName belongs to a given uid.
+     * @param packageName the package of the caller
+     * @param uid the uid of the caller
+     * @return true or false
+     */
+    private boolean verifyPackage(String packageName, int uid) {
+        if (uid == ROOT_UID || uid == SYSTEM_UID) {
+            //System and Root are always allowed
+            return true;
+        }
+        final int userId = UserHandle.getUserId(uid);
+        final int packageUid = mAm.getPackageManagerInternal()
+                .getPackageUid(packageName, PackageManager.MATCH_DEBUG_TRIAGED_MISSING, userId);
+        return UserHandle.isSameApp(uid, packageUid);
+    }
 }
-- 
cgit v1.2.3-59-g8ed1b