Merge "Ensure calling package name and uid are matched" into sc-qpr1-dev

commit: e93efb6f963d0059cf3eb54ab2d2a23f03584eee [log] [tgz]
author: TreeHugger Robot <treehugger-gerrit@google.com> Fri Oct 01 14:08:56 2021 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Fri Oct 01 14:08:56 2021 +0000
tree: 012f2ebb0d8b020b5a08bf4c92876e1e31dc1a76
parent: 814a8e4d90a930cfbe60d116e00e2cbf5f70cbef [diff]
parent: b2c286816d35877ffe22e70f5bc1c03c6d03b214 [diff]
diff --git a/service/src/com/android/server/ConnectivityService.java b/service/src/com/android/server/ConnectivityService.java
index e34c064..418e9e3 100644
--- a/service/src/com/android/server/ConnectivityService.java
+++ b/service/src/com/android/server/ConnectivityService.java

@@ -2361,6 +2361,26 @@
         return false;
     }
 
+    private int getAppUid(final String app, final UserHandle user) {
+        final PackageManager pm =
+                mContext.createContextAsUser(user, 0 /* flags */).getPackageManager();
+        final long token = Binder.clearCallingIdentity();
+        try {
+            return pm.getPackageUid(app, 0 /* flags */);
+        } catch (PackageManager.NameNotFoundException e) {
+            return -1;
+        } finally {
+            Binder.restoreCallingIdentity(token);
+        }
+    }
+
+    private void verifyCallingUidAndPackage(String packageName, int callingUid) {
+        final UserHandle user = UserHandle.getUserHandleForUid(callingUid);
+        if (getAppUid(packageName, user) != callingUid) {
+            throw new SecurityException(packageName + " does not belong to uid " + callingUid);
+        }
+    }
+
     /**
      * Ensure that a network route exists to deliver traffic to the specified
      * host via the specified network interface.
@@ -2376,6 +2396,7 @@
         if (disallowedBecauseSystemCaller()) {
             return false;
         }
+        verifyCallingUidAndPackage(callingPackageName, mDeps.getCallingUid());
         enforceChangePermission(callingPackageName, callingAttributionTag);
         if (mProtectedNetworks.contains(networkType)) {
             enforceConnectivityRestrictedNetworksPermission();

diff --git a/tests/unit/java/com/android/server/ConnectivityServiceTest.java b/tests/unit/java/com/android/server/ConnectivityServiceTest.java
index 10b7e14..b900169 100644
--- a/tests/unit/java/com/android/server/ConnectivityServiceTest.java
+++ b/tests/unit/java/com/android/server/ConnectivityServiceTest.java

@@ -13941,4 +13941,11 @@
         mDefaultNetworkCallback.expectCallback(CallbackEntry.LOST, mWiFiNetworkAgent);
         mDefaultNetworkCallback.expectAvailableCallbacksValidated(mCellNetworkAgent);
     }
+
+    @Test
+    public void testRequestRouteToHostAddress_PackageDoesNotBelongToCaller() {
+        assertThrows(SecurityException.class, () -> mService.requestRouteToHostAddress(
+                ConnectivityManager.TYPE_NONE, null /* hostAddress */, "com.not.package.owner",
+                null /* callingAttributionTag */));
+    }
 }
commit	e93efb6f963d0059cf3eb54ab2d2a23f03584eee	[log] [tgz]
author	TreeHugger Robot <treehugger-gerrit@google.com>	Fri Oct 01 14:08:56 2021 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Fri Oct 01 14:08:56 2021 +0000
tree	012f2ebb0d8b020b5a08bf4c92876e1e31dc1a76
parent	814a8e4d90a930cfbe60d116e00e2cbf5f70cbef [diff]
parent	b2c286816d35877ffe22e70f5bc1c03c6d03b214 [diff]