diff options
author | Jeff Sharkey <jsharkey@android.com> | 2017-06-12 17:33:07 -0600 |
---|---|---|
committer | Harry Youd <harry@harryyoud.co.uk> | 2017-12-23 16:38:53 +0000 |
commit | 8662bd23b735c00a021217bd1f549b53ad426477 (patch) | |
tree | 84f75894f171f3877883c4f0ae9e148fb13aaea7 | |
parent | 360eec509908961c05ee184646d3ae28a4db53fc (diff) | |
download | frameworks_base-8662bd23b735c00a021217bd1f549b53ad426477.tar.gz frameworks_base-8662bd23b735c00a021217bd1f549b53ad426477.tar.bz2 frameworks_base-8662bd23b735c00a021217bd1f549b53ad426477.zip |
DO NOT MERGE. KEY_INTENT shouldn't grant permissions.
KEY_INTENT has no business granting any Uri permissions, so remove
any grant flags that malicious apps may have tried sneaking in.
Also fix ordering bug in general-purpose security check that was
allowing FLAG_GRANT_PERSISTABLE to bypass it.
Test: builds, boots
Bug: 32990341, 32879915
Change-Id: I657455a770c81f045ccce6abbd2291407a1cfb42
(cherry picked from commit d722e780bac7685e8a012b5f479eba8c348c3c53)
CVE-2017-13157 / CVE-2017-13158
-rw-r--r-- | services/core/java/com/android/server/accounts/AccountManagerService.java | 4 | ||||
-rwxr-xr-x | services/core/java/com/android/server/am/ActivityManagerService.java | 13 |
2 files changed, 17 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java index 1e0cf0a3d35..537fe2dc55a 100644 --- a/services/core/java/com/android/server/accounts/AccountManagerService.java +++ b/services/core/java/com/android/server/accounts/AccountManagerService.java @@ -3095,6 +3095,10 @@ public class AccountManagerService } if (result != null && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) { + intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION + | Intent.FLAG_GRANT_WRITE_URI_PERMISSION + | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION + | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION)); /* * The Authenticator API allows third party authenticators to * supply arbitrary intents to other apps that they can run, diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index 6c076d06f21..5ba0b728665 100755 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -7701,6 +7701,19 @@ public final class ActivityManagerService extends ActivityManagerNative return -1; } + // Bail early if system is trying to hand out permissions directly; it + // must always grant permissions on behalf of someone explicit. + final int callingAppId = UserHandle.getAppId(callingUid); + if ((callingAppId == Process.SYSTEM_UID) || (callingAppId == Process.ROOT_UID)) { + if ("com.android.settings.files".equals(grantUri.uri.getAuthority())) { + // Exempted authority for cropping user photos in Settings app + } else { + Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission" + + " grant to " + grantUri + "; use startActivityAsCaller() instead"); + return -1; + } + } + final String authority = grantUri.uri.getAuthority(); final ProviderInfo pi = getProviderInfoLocked(authority, grantUri.sourceUserId); if (pi == null) { |