commit 1adf4562e2990eff2d092ffb93d65594fe5c09a0
author Nazanin <nazaninb@google.com> Mon Mar 29 15:35:30 2021 -0700
committer Nazanin Bakhshi <nazaninb@google.com> Tue Apr 20 15:47:12 2021 +0000
tree 3801b4c6c419bede78b85f9bb9a7e9a9ad9b2088
parent 2d01a224c24225d308e0213888a2a113274f6016

Security fix: enforce read privilege permission to check package
privileges in PhoneInterfaceManager

Bug: 180938364
Test: cts
Change-Id: I03ae773fa76f2f23842eee0b7a9948ca474befc8

src/com/android/phone/CarrierConfigLoader.java

diff --git a/src/com/android/phone/CarrierConfigLoader.java b/src/com/android/phone/CarrierConfigLoader.java
index 2b91a24..54b1054 100644
--- a/src/com/android/phone/CarrierConfigLoader.java
+++ b/src/com/android/phone/CarrierConfigLoader.java
@@ -892,9 +892,15 @@
     /** Returns the package name of a priveleged carrier app, or null if there is none. */
     @Nullable
     private String getCarrierPackageForPhoneId(int phoneId) {
-        List<String> carrierPackageNames = TelephonyManager.from(mContext)
+        List<String> carrierPackageNames;
+        final long token = Binder.clearCallingIdentity();
+        try {
+            carrierPackageNames = TelephonyManager.from(mContext)
                 .getCarrierPackageNamesForIntentAndPhone(
-                        new Intent(CarrierService.CARRIER_SERVICE_INTERFACE), phoneId);
+                    new Intent(CarrierService.CARRIER_SERVICE_INTERFACE), phoneId);
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
         if (carrierPackageNames != null && carrierPackageNames.size() > 0) {
             return carrierPackageNames.get(0);
         } else {

src/com/android/phone/PhoneInterfaceManager.java

diff --git a/src/com/android/phone/PhoneInterfaceManager.java b/src/com/android/phone/PhoneInterfaceManager.java
index 88bec27..18c1256 100755
--- a/src/com/android/phone/PhoneInterfaceManager.java
+++ b/src/com/android/phone/PhoneInterfaceManager.java
@@ -6664,6 +6664,7 @@
 
     @Override
     public int checkCarrierPrivilegesForPackage(int subId, String pkgName) {
+        enforceReadPrivilegedPermission("checkCarrierPrivilegesForPackage");
         if (TextUtils.isEmpty(pkgName)) {
             return TelephonyManager.CARRIER_PRIVILEGE_STATUS_NO_ACCESS;
         }
@@ -6681,6 +6682,7 @@
 
     @Override
     public int checkCarrierPrivilegesForPackageAnyPhone(String pkgName) {
+        enforceReadPrivilegedPermission("checkCarrierPrivilegesForPackageAnyPhone");
         if (TextUtils.isEmpty(pkgName))
             return TelephonyManager.CARRIER_PRIVILEGE_STATUS_NO_ACCESS;
         int result = TelephonyManager.CARRIER_PRIVILEGE_STATUS_RULES_NOT_LOADED;
@@ -6704,6 +6706,7 @@
 
     @Override
     public List<String> getCarrierPackageNamesForIntentAndPhone(Intent intent, int phoneId) {
+        enforceReadPrivilegedPermission("getCarrierPackageNamesForIntentAndPhone");
         if (!SubscriptionManager.isValidPhoneId(phoneId)) {
             loge("phoneId " + phoneId + " is not valid.");
             return null;
@@ -6718,6 +6721,7 @@
 
     @Override
     public List<String> getPackagesWithCarrierPrivileges(int phoneId) {
+        enforceReadPrivilegedPermission("getPackagesWithCarrierPrivileges");
         PackageManager pm = mApp.getPackageManager();
         List<String> privilegedPackages = new ArrayList<>();
         List<PackageInfo> packages = null;

src/com/android/phone/TelephonyShellCommand.java

diff --git a/src/com/android/phone/TelephonyShellCommand.java b/src/com/android/phone/TelephonyShellCommand.java
index 8fc7e94..f5b6ad8 100644
--- a/src/com/android/phone/TelephonyShellCommand.java
+++ b/src/com/android/phone/TelephonyShellCommand.java
@@ -2295,6 +2295,7 @@
         String packageName = getNextArgRequired();
 
         boolean hasCarrierPrivileges;
+        final long token = Binder.clearCallingIdentity();
         try {
             hasCarrierPrivileges =
                     mInterface.checkCarrierPrivilegesForPackageAnyPhone(packageName)
@@ -2303,6 +2304,8 @@
             Log.w(LOG_TAG, HAS_CARRIER_PRIVILEGES_COMMAND + " exception", e);
             getErrPrintWriter().println("Exception: " + e.getMessage());
             return -1;
+        } finally {
+            Binder.restoreCallingIdentity(token);
         }
 
         getOutPrintWriter().println(hasCarrierPrivileges);