Support network slicing permission check in multi-user environment
In multi-user environment, the App might not be installed by system user.
As a result, the ConnectivityService should use the packageManager from
the user's context to be able to read the property correctly.
Bug: 300274339
Test: TH
Change-Id: I5398c95562bcaf5752270b52f38cca1f02698ba1
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index 8f29078..d688cd4 100755
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -7649,7 +7649,7 @@
}
private void enforceRequestCapabilitiesDeclaration(@NonNull final String callerPackageName,
- @NonNull final NetworkCapabilities networkCapabilities) {
+ @NonNull final NetworkCapabilities networkCapabilities, int callingUid) {
// This check is added to fix the linter error for "current min is 30", which is not going
// to happen because Connectivity service always run in S+.
if (!mDeps.isAtLeastS()) {
@@ -7663,7 +7663,9 @@
applicationNetworkCapabilities = mSelfCertifiedCapabilityCache.get(
callerPackageName);
if (applicationNetworkCapabilities == null) {
- final PackageManager packageManager = mContext.getPackageManager();
+ final PackageManager packageManager =
+ mContext.createContextAsUser(UserHandle.getUserHandleForUid(
+ callingUid), 0 /* flags */).getPackageManager();
final PackageManager.Property networkSliceProperty = packageManager.getProperty(
ConstantsShim.PROPERTY_SELF_CERTIFIED_NETWORK_CAPABILITIES,
callerPackageName
@@ -7695,7 +7697,8 @@
String callingPackageName, String callingAttributionTag, final int callingUid) {
if (shouldCheckCapabilitiesDeclaration(networkCapabilities, callingUid,
callingPackageName)) {
- enforceRequestCapabilitiesDeclaration(callingPackageName, networkCapabilities);
+ enforceRequestCapabilitiesDeclaration(callingPackageName, networkCapabilities,
+ callingUid);
}
if (networkCapabilities.hasCapability(NET_CAPABILITY_NOT_RESTRICTED) == false) {
// For T+ devices, callers with carrier privilege could request with CBS capabilities.