Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_services_Telephony / 13d8915ee461fd7d766d09d277fcc9f06a9f4f43^! / . / src / com / android / phone / PhoneInterfaceManager.java
commit13d8915ee461fd7d766d09d277fcc9f06a9f4f43[log] [tgz]
authorShuo Qian <shuoq@google.com>Mon May 10 23:58:11 2021 -0700
committerShuo Qian <shuoq@google.com>Wed May 12 06:02:26 2021 +0000
tree0e1241237573b7c698c7e0217f1d06e9426f9b74
parentcfe20dce58b5b96f162e0d60ee02d6809cb97bff [diff] [blame]
Fix security issue that app can query which applications are installed on the device without requiring QUERY_ALL_PACKAGES in `getDeviceIdWithFeature` method, `getMeidForSlot` method, and `getNetworkTypeForSubscriber` method of `PhoneInterfaceManager`.

Test: Manual verified with Test app; Safety net log added
Bug: 186530889
Bug: 186776740
Bug: 186530496

Change-Id: I0ef2e34abe0cddfc3ef87c5aea5a01d6d7606064

diff --git a/src/com/android/phone/PhoneInterfaceManager.java b/src/com/android/phone/PhoneInterfaceManager.java
index 65b8e1f..22f99df 100755
--- a/src/com/android/phone/PhoneInterfaceManager.java
+++ b/src/com/android/phone/PhoneInterfaceManager.java

@@ -3131,6 +3131,13 @@
 
     @Override
     public String getMeidForSlot(int slotIndex, String callingPackage, String callingFeatureId) {
+        try {
+            mAppOps.checkPackage(Binder.getCallingUid(), callingPackage);
+        } catch (SecurityException se) {
+            EventLog.writeEvent(0x534e4554, "186530496", Binder.getCallingUid());
+            throw new SecurityException("Package " + callingPackage + " does not belong to "
+                    + Binder.getCallingUid());
+        }
         Phone phone = PhoneFactory.getPhone(slotIndex);
         if (phone == null) {
             return null;
@@ -4879,6 +4886,13 @@
     @Override
     public int getNetworkTypeForSubscriber(int subId, String callingPackage,
             String callingFeatureId) {
+        try {
+            mAppOps.checkPackage(Binder.getCallingUid(), callingPackage);
+        } catch (SecurityException se) {
+            EventLog.writeEvent(0x534e4554, "186776740", Binder.getCallingUid());
+            throw new SecurityException("Package " + callingPackage + " does not belong to "
+                    + Binder.getCallingUid());
+        }
         final int targetSdk = TelephonyPermissions.getTargetSdk(mApp, callingPackage);
         if (targetSdk > android.os.Build.VERSION_CODES.Q) {
             return getDataNetworkTypeForSubscriber(subId, callingPackage, callingFeatureId);
@@ -7430,6 +7444,13 @@
      */
     @Override
     public String getDeviceIdWithFeature(String callingPackage, String callingFeatureId) {
+        try {
+            mAppOps.checkPackage(Binder.getCallingUid(), callingPackage);
+        } catch (SecurityException se) {
+            EventLog.writeEvent(0x534e4554, "186530889", Binder.getCallingUid());
+            throw new SecurityException("Package " + callingPackage + " does not belong to "
+                    + Binder.getCallingUid());
+        }
         final Phone phone = PhoneFactory.getPhone(0);
         if (phone == null) {
             return null;