Add existing and visibility check in addPackageDependency We should check if the target package is existing or visible to the caller before adding the dependency. Bug: 216633741 Test: atest -p services/core/java/com/android/server/am Test: manually using the PoC in the buganizer to ensure the symptom no longer exists. Change-Id: I8b3b6579bdfb040c8a10065ac14367ba7e4b15a9

commit: 8d2382ca031bac4f1dc4fc0c86b93b4f829cbf42 [log] [tgz]
author: Jackal Guo <jackalguo@google.com> Mon Sep 26 16:16:42 2022 +0800
committer: Jackal Guo <jackalguo@google.com> Mon Sep 26 16:26:19 2022 +0800
tree: c7fa3c4bd3b890ef9314a9f2b8b7c133da63f517
parent: 826721d11b5f5e7c6aaa797752321dfba25e7b0d [diff]
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 9d24e8e..8b17909 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java

@@ -4158,6 +4158,12 @@
             //  Yeah, um, no.
             return;
         }
+        final int callingUid = Binder.getCallingUid();
+        final int callingUserId = UserHandle.getUserId(callingUid);
+        if (getPackageManagerInternal().filterAppAccess(packageName, callingUid, callingUserId)) {
+            Slog.w(TAG, "Failed trying to add dependency on non-existing package: " + packageName);
+            return;
+        }
         ProcessRecord proc;
         synchronized (mPidsSelfLocked) {
             proc = mPidsSelfLocked.get(Binder.getCallingPid());
commit	8d2382ca031bac4f1dc4fc0c86b93b4f829cbf42	[log] [tgz]
author	Jackal Guo <jackalguo@google.com>	Mon Sep 26 16:16:42 2022 +0800
committer	Jackal Guo <jackalguo@google.com>	Mon Sep 26 16:26:19 2022 +0800
tree	c7fa3c4bd3b890ef9314a9f2b8b7c133da63f517
parent	826721d11b5f5e7c6aaa797752321dfba25e7b0d [diff]