commit b2c286816d35877ffe22e70f5bc1c03c6d03b214
author paulhu <paulhu@google.com> Wed Aug 18 18:35:54 2021 +0800
committer Paul Hu <paulhu@google.com> Thu Aug 26 13:23:03 2021 +0000
tree 9203ebffe4ba62085596d97fb8e7052a40c9a9e6
parent 21026d8bfb686e687d03a1f68e5bfcab26d5131c

Ensure calling package name and uid are matched

CS#requestRouteToHostAddress enforcing change permission doesn't
check whether the calling package belongs to calling uid. This
can be used to check whether package name exists or not without
permission. Thus, add a check to ensure calling package name and
uid are matched.

Bug: 193801134
Test: atest FrameworksNetTests CtsNetTestCases
Ignore-AOSP-First: Security fix
Change-Id: I980f1c68b5321601aa40da29e283fb4dd717d5de

service/src/com/android/server/ConnectivityService.java

diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index e34c064..418e9e3 100644
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java
@@ -2361,6 +2361,26 @@
         return false;
     }
 
+    private int getAppUid(final String app, final UserHandle user) {
+        final PackageManager pm =
+                mContext.createContextAsUser(user, 0 /* flags */).getPackageManager();
+        final long token = Binder.clearCallingIdentity();
+        try {
+            return pm.getPackageUid(app, 0 /* flags */);
+        } catch (PackageManager.NameNotFoundException e) {
+            return -1;
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
+    }
+
+    private void verifyCallingUidAndPackage(String packageName, int callingUid) {
+        final UserHandle user = UserHandle.getUserHandleForUid(callingUid);
+        if (getAppUid(packageName, user) != callingUid) {
+            throw new SecurityException(packageName + " does not belong to uid " + callingUid);
+        }
+    }
+
     /**
      * Ensure that a network route exists to deliver traffic to the specified
      * host via the specified network interface.
@@ -2376,6 +2396,7 @@
         if (disallowedBecauseSystemCaller()) {
             return false;
         }
+        verifyCallingUidAndPackage(callingPackageName, mDeps.getCallingUid());
         enforceChangePermission(callingPackageName, callingAttributionTag);
         if (mProtectedNetworks.contains(networkType)) {
             enforceConnectivityRestrictedNetworksPermission();