From ab39f6cb7afc48584da3c59d8e2a5e1ef121aafb Mon Sep 17 00:00:00 2001
From: akirilov <akirilov@google.com>
Date: Tue, 16 Oct 2018 14:52:05 -0700
Subject: RESTRICT AUTOMERGE: Trust session id only if started with
 ACTION_CONFIRM_INSTALL

InstallStart was reading sessionInfo whenever the starting intent had
the extra EXTRA_SESSION_ID. This could happen even if an external app
inserted a valid session id into its own REQUEST_INSTALL_PACKAGE intent.
This allows apps to potentially spoof the calling package.

Test: Existing tests pass:
atest GtsPackageInstallTestCases GtsNoPermissionTestCases \
GtsNoPermissionTestCases25

Bug: 112031362
Change-Id: Icdab1deeaf6b0afe7a61709cd87305336c467e33
(cherry picked from commit 8af3d62da1a56d8cc3e7c915516cbc4ce8642099)
---
 src/com/android/packageinstaller/InstallStart.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/com/android/packageinstaller/InstallStart.java b/src/com/android/packageinstaller/InstallStart.java
index d06b6f55..42927373 100644
--- a/src/com/android/packageinstaller/InstallStart.java
+++ b/src/com/android/packageinstaller/InstallStart.java
@@ -58,9 +58,14 @@ public class InstallStart extends Activity {
         Intent intent = getIntent();
         String callingPackage = getCallingPackage();
 
+        final boolean isSessionInstall =
+                PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction());
+
         // If the activity was started via a PackageInstaller session, we retrieve the calling
         // package from that session
-        int sessionId = intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1);
+        final int sessionId = (isSessionInstall
+                ? intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1)
+                : -1);
         if (callingPackage == null && sessionId != -1) {
             PackageInstaller packageInstaller = getPackageManager().getPackageInstaller();
             PackageInstaller.SessionInfo sessionInfo = packageInstaller.getSessionInfo(sessionId);
@@ -103,7 +108,7 @@ public class InstallStart extends Activity {
         nextActivity.putExtra(PackageInstallerActivity.EXTRA_ORIGINAL_SOURCE_INFO, sourceInfo);
         nextActivity.putExtra(Intent.EXTRA_ORIGINATING_UID, originatingUid);
 
-        if (PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction())) {
+        if (isSessionInstall) {
             nextActivity.setClass(this, PackageInstallerActivity.class);
         } else {
             Uri packageUri = intent.getData();
-- 
cgit v1.2.3