Resolve READ_PRIVILEGED_PHONE_STATE bypass Fixes a bug where the calling user id was not being passed to the default dialer cache due to the calling identity being cleared (resulting in the Telecom process being used to check what the default dialer is). Bug: 373862149 Change-Id: Icb59debc225a1963dd0a37f2e1f025e764715e0e Test: Manual (patch also verified by reporter) Flag: EXEMPT bugfix

commit: 5fc967338889b80ce0d66801a2f061402d0665be [log] [tgz]
author: Pranav Madapurmath <pmadapurmath@google.com> Fri Nov 22 19:54:34 2024 +0000
committer: Pranav Madapurmath <pmadapurmath@google.com> Fri Nov 22 19:55:49 2024 +0000
tree: 4834daa4f8d100992eeb2ea135d6a6b869a3967d
parent: 67ba32d104a590af08a8e1b750c9618637a41fde [diff]
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index a662dde..5eb05dc 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java

@@ -3600,10 +3600,11 @@
         // Note: Important to clear the calling identity since the code below calls into RoleManager
         // to check who holds the dialer role, and that requires MANAGE_ROLE_HOLDERS permission
         // which is a system permission.
+        int callingUserId = Binder.getCallingUserHandle().getIdentifier();
         long token = Binder.clearCallingIdentity();
         try {
             return mDefaultDialerCache.isDefaultOrSystemDialer(
-                    callingPackage, Binder.getCallingUserHandle().getIdentifier());
+                    callingPackage, callingUserId);
         } finally {
             Binder.restoreCallingIdentity(token);
         }
commit	5fc967338889b80ce0d66801a2f061402d0665be	[log] [tgz]
author	Pranav Madapurmath <pmadapurmath@google.com>	Fri Nov 22 19:54:34 2024 +0000
committer	Pranav Madapurmath <pmadapurmath@google.com>	Fri Nov 22 19:55:49 2024 +0000
tree	4834daa4f8d100992eeb2ea135d6a6b869a3967d
parent	67ba32d104a590af08a8e1b750c9618637a41fde [diff]