Merge sc-qpr1-dev-plus-aosp-without-vendor@7810918

Bug: 205056467 Merged-In: I745ef4d42ecaf06bb81d9dbe0b7162267fea65a8 Change-Id: I7b2a1fc519124cfc10806dde5fd543504a51e072
2021-11-10 08:06:18 +00:00
parent e4235b83be 67ee516732
commit e41bbea995
4 changed files with 30 additions and 0 deletions
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -2356,6 +2356,26 @@ public class ConnectivityService extends IConnectivityManager.Stub
        return false;
    }

+    private int getAppUid(final String app, final UserHandle user) {
+        final PackageManager pm =
+                mContext.createContextAsUser(user, 0 /* flags */).getPackageManager();
+        final long token = Binder.clearCallingIdentity();
+        try {
+            return pm.getPackageUid(app, 0 /* flags */);
+        } catch (PackageManager.NameNotFoundException e) {
+            return -1;
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
+    }
+
+    private void verifyCallingUidAndPackage(String packageName, int callingUid) {
+        final UserHandle user = UserHandle.getUserHandleForUid(callingUid);
+        if (getAppUid(packageName, user) != callingUid) {
+            throw new SecurityException(packageName + " does not belong to uid " + callingUid);
+        }
+    }
+
    /**
     * Ensure that a network route exists to deliver traffic to the specified
     * host via the specified network interface.
@@ -2371,6 +2391,7 @@ public class ConnectivityService extends IConnectivityManager.Stub
        if (disallowedBecauseSystemCaller()) {
            return false;
        }
+        verifyCallingUidAndPackage(callingPackageName, mDeps.getCallingUid());
        enforceChangePermission(callingPackageName, callingAttributionTag);
        if (mProtectedNetworks.contains(networkType)) {
            enforceConnectivityRestrictedNetworksPermission();
--- a/tests/cts/hostside/app/Android.bp
+++ b/tests/cts/hostside/app/Android.bp
@@ -45,5 +45,6 @@ android_test_helper_app {
    test_suites: [
        "cts",
        "general-tests",
+        "sts",
    ],
 }
--- a/tests/cts/hostside/app2/Android.bp
+++ b/tests/cts/hostside/app2/Android.bp
@@ -28,6 +28,7 @@ android_test_helper_app {
    test_suites: [
        "cts",
        "general-tests",
+        "sts",
    ],
    certificate: ":cts-net-app",
 }
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
@@ -14622,4 +14622,11 @@ public class ConnectivityServiceTest {
        mDefaultNetworkCallback.expectCallback(CallbackEntry.LOST, mWiFiNetworkAgent);
        mDefaultNetworkCallback.expectAvailableCallbacksValidated(mCellNetworkAgent);
    }
+
+    @Test
+    public void testRequestRouteToHostAddress_PackageDoesNotBelongToCaller() {
+        assertThrows(SecurityException.class, () -> mService.requestRouteToHostAddress(
+                ConnectivityManager.TYPE_NONE, null /* hostAddress */, "com.not.package.owner",
+                null /* callingAttributionTag */));
+    }
 }