From bc66712394f5874a01b60bbf8a2710820afa0986 Mon Sep 17 00:00:00 2001 From: Chiachang Wang Date: Wed, 19 May 2021 10:13:22 +0800 Subject: [PATCH] Use CS identity to update setting while performing factory reset When apps try to call factoryReset to do networking reset, it will result in updating the setting in SettingsProvider. ContentProvider will verify if the package name of the caller that initiated the request being processed on the current thread. The package should belong to the calling UID. The setting update started from the ConnectivityService context, so the package will be android but the calling UID will be the calling app. It will cause a SecurityException. The behavior is fine previously as its known caller(Settings) shares system UID. But it will be a problem for other callers, such as CTS. Thus, clear the identity since the necessary permission check should be examined at the top of the method. The following actions should be fine to be proceed from the system itself. Also replace the user restriction check via hasUserRestrictionForUser with the UserHandle created from the calling uid to ensure it's verified with correct user. Bug: 186061922 Test: Factory reset from Settings Change-Id: If2dd69f702a1eafff331f9e71f6b92aeadfb715d --- .../android/server/ConnectivityService.java | 34 +++++++++++-------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java index e192c8fae2..b2e2943fcf 100644 --- a/service/src/com/android/server/ConnectivityService.java +++ b/service/src/com/android/server/ConnectivityService.java @@ -8668,28 +8668,32 @@ public class ConnectivityService extends IConnectivityManager.Stub public void factoryReset() { enforceSettingsPermission(); - if (mUserManager.hasUserRestriction(UserManager.DISALLOW_NETWORK_RESET)) { - return; - } - + final int uid = mDeps.getCallingUid(); final long token = Binder.clearCallingIdentity(); try { + if (mUserManager.hasUserRestrictionForUser(UserManager.DISALLOW_NETWORK_RESET, + UserHandle.getUserHandleForUid(uid))) { + return; + } + final IpMemoryStore ipMemoryStore = IpMemoryStore.getMemoryStore(mContext); ipMemoryStore.factoryReset(); + + // Turn airplane mode off + setAirplaneMode(false); + + // restore private DNS settings to default mode (opportunistic) + if (!mUserManager.hasUserRestrictionForUser(UserManager.DISALLOW_CONFIG_PRIVATE_DNS, + UserHandle.getUserHandleForUid(uid))) { + ConnectivitySettingsManager.setPrivateDnsMode(mContext, + PRIVATE_DNS_MODE_OPPORTUNISTIC); + } + + Settings.Global.putString(mContext.getContentResolver(), + ConnectivitySettingsManager.NETWORK_AVOID_BAD_WIFI, null); } finally { Binder.restoreCallingIdentity(token); } - - // Turn airplane mode off - setAirplaneMode(false); - - // restore private DNS settings to default mode (opportunistic) - if (!mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_PRIVATE_DNS)) { - ConnectivitySettingsManager.setPrivateDnsMode(mContext, PRIVATE_DNS_MODE_OPPORTUNISTIC); - } - - Settings.Global.putString(mContext.getContentResolver(), - ConnectivitySettingsManager.NETWORK_AVOID_BAD_WIFI, null); } @Override