Location renounced network scan request always throw SecureException
Root cause:
In the implementation of requestNetworkScan, when trying to check
if the caller app has carrier privileges, it calls method
checkCarrierPrivilegesForPackage which requires
READ_PRIVILEGED_PHONE_STATE permission.
Solution:
While callers have no READ_PRIVILEGED_PHONE_STATE permission, we should
check caller's carrier privileges status in the name of Phone
instead of caller.
Note, commit 1c11dba2c18b5c25900e3c55c9a9cecf81fac229 once fixed a similar issue in history. But a later security fix commit 1adf4562e2990eff2d092ffb93d65594fe5c09a0 broke the case again.
Bug: 252969494
Test: atest android.carrierapi.cts.NetworkScanApiTestatest
Change-Id: Ic8a0145a801162d961e69ec7240a01081e058ffa
diff --git a/src/com/android/phone/PhoneInterfaceManager.java b/src/com/android/phone/PhoneInterfaceManager.java
index bd2be12..88b4443 100755
--- a/src/com/android/phone/PhoneInterfaceManager.java
+++ b/src/com/android/phone/PhoneInterfaceManager.java
@@ -6488,8 +6488,14 @@
private SecurityException checkNetworkRequestForSanitizedLocationAccess(
NetworkScanRequest request, int subId, String callingPackage) {
- boolean hasCarrierPriv = checkCarrierPrivilegesForPackage(subId, callingPackage)
- == TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS;
+ boolean hasCarrierPriv;
+ final long identity = Binder.clearCallingIdentity();
+ try {
+ hasCarrierPriv = checkCarrierPrivilegesForPackage(subId, callingPackage)
+ == TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS;
+ } finally {
+ Binder.restoreCallingIdentity(identity);
+ }
boolean hasNetworkScanPermission =
mApp.checkCallingOrSelfPermission(android.Manifest.permission.NETWORK_SCAN)
== PERMISSION_GRANTED;