From 6468b0d17ed301be6a57412f96e9ee8c9c410553 Mon Sep 17 00:00:00 2001
From: Nazanin <nazaninb@google.com>
Date: Thu, 15 Apr 2021 14:18:15 -0700
Subject: [PATCH] Security fix: enforce read privilege permission to check
 package privileges in TelephonyManager

Bug: 180938364
Test: cts
Change-Id: I08c346c46b9e87dceaa1faf35fa36b954d88f9b0
---
 .../com/android/server/net/NetworkStatsAccess.java | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/services/core/java/com/android/server/net/NetworkStatsAccess.java b/services/core/java/com/android/server/net/NetworkStatsAccess.java
index 7cdc4cc747..d25eae409d 100644
--- a/services/core/java/com/android/server/net/NetworkStatsAccess.java
+++ b/services/core/java/com/android/server/net/NetworkStatsAccess.java
@@ -27,6 +27,7 @@ import android.app.AppOpsManager;
 import android.app.admin.DevicePolicyManagerInternal;
 import android.content.Context;
 import android.content.pm.PackageManager;
+import android.os.Binder;
 import android.os.Process;
 import android.os.UserHandle;
 import android.telephony.TelephonyManager;
@@ -108,9 +109,16 @@ public final class NetworkStatsAccess {
                 DevicePolicyManagerInternal.class);
         final TelephonyManager tm = (TelephonyManager)
                 context.getSystemService(Context.TELEPHONY_SERVICE);
-        boolean hasCarrierPrivileges = tm != null &&
-                tm.checkCarrierPrivilegesForPackageAnyPhone(callingPackage) ==
-                        TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS;
+        boolean hasCarrierPrivileges;
+        final long token = Binder.clearCallingIdentity();
+        try {
+            hasCarrierPrivileges = tm != null
+                    && tm.checkCarrierPrivilegesForPackageAnyPhone(callingPackage)
+                            == TelephonyManager.CARRIER_PRIVILEGE_STATUS_HAS_ACCESS;
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
+
         final boolean isDeviceOwner = dpmi != null && dpmi.isActiveDeviceOwner(callingUid);
         final int appId = UserHandle.getAppId(callingUid);
         if (hasCarrierPrivileges || isDeviceOwner