LineageOS/android_packages_modules_Connectivity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ensure calling package name and uid are matched

Browse Source 
CS#requestRouteToHostAddress enforcing change permission doesn't
check whether the calling package belongs to calling uid. This
can be used to check whether package name exists or not without
permission. Thus, add a check to ensure calling package name and
uid are matched.

Bug: 193801134
Test: atest FrameworksNetTests CtsNetTestCases
Ignore-AOSP-First: Security fix
Change-Id: I980f1c68b5321601aa40da29e283fb4dd717d5de
This commit is contained in:
paulhu
2021-08-18 18:35:54 +08:00
committed by Paul Hu
parent 21026d8bfb
commit b2c286816d
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
service/src/com/android/server/ConnectivityService.java
View File

@@ -2361,6 +2361,26 @@ public class ConnectivityService extends IConnectivityManager.Stub
return false;
}
private int getAppUid(final String app, final UserHandle user) {
final PackageManager pm =
mContext.createContextAsUser(user, 0 /* flags */).getPackageManager();
final long token = Binder.clearCallingIdentity();
try {
return pm.getPackageUid(app, 0 /* flags */);
} catch (PackageManager.NameNotFoundException e) {
return -1;
} finally {
Binder.restoreCallingIdentity(token);
}
}
private void verifyCallingUidAndPackage(String packageName, int callingUid) {
final UserHandle user = UserHandle.getUserHandleForUid(callingUid);
if (getAppUid(packageName, user) != callingUid) {
throw new SecurityException(packageName + " does not belong to uid " + callingUid);
}
}
/**
* Ensure that a network route exists to deliver traffic to the specified
* host via the specified network interface.
@@ -2376,6 +2396,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
if (disallowedBecauseSystemCaller()) {
return false;
}
verifyCallingUidAndPackage(callingPackageName, mDeps.getCallingUid());
enforceChangePermission(callingPackageName, callingAttributionTag);
if (mProtectedNetworks.contains(networkType)) {
enforceConnectivityRestrictedNetworksPermission();