diff options
author | Jeff Sharkey <jsharkey@android.com> | 2016-09-16 22:53:35 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-09-16 22:53:35 +0000 |
commit | 40238b9a601d58d2b4f88da7b14823e8c0340bc6 (patch) | |
tree | ddd545c6dd405f1f22e15e9b33b4997915880b1c /src/com/android | |
parent | 8e8770bdc8811be61a747952e49b223a4c1af90a (diff) | |
parent | 36b9c38a53f15602538ececcfabc94ae8465235a (diff) | |
download | android_packages_providers_DownloadProvider-40238b9a601d58d2b4f88da7b14823e8c0340bc6.tar.gz android_packages_providers_DownloadProvider-40238b9a601d58d2b4f88da7b14823e8c0340bc6.tar.bz2 android_packages_providers_DownloadProvider-40238b9a601d58d2b4f88da7b14823e8c0340bc6.zip |
Enforce calling identity before clearing. am: 7c1af8c62c am: 47dcd095ea am: 51033d49f6 am: 9bbd21ff0c am: 0bd9e49a06 am: 73721ade0d
am: 36b9c38a53
Change-Id: I53525f314f5ebc659e26c972c62517833ea03e19
Diffstat (limited to 'src/com/android')
-rw-r--r-- | src/com/android/providers/downloads/DownloadProvider.java | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java index e79aff5f..922cb2a7 100644 --- a/src/com/android/providers/downloads/DownloadProvider.java +++ b/src/com/android/providers/downloads/DownloadProvider.java @@ -462,6 +462,19 @@ public final class DownloadProvider extends ContentProvider { if (appInfo != null) { mDefContainerUid = appInfo.uid; } + + // Grant access permissions for all known downloads to the owning apps + final SQLiteDatabase db = mOpenHelper.getReadableDatabase(); + final Cursor cursor = db.query(DB_TABLE, new String[] { + Downloads.Impl._ID, Constants.UID }, null, null, null, null, null); + try { + while (cursor.moveToNext()) { + grantAllDownloadsPermission(cursor.getLong(0), cursor.getInt(1)); + } + } finally { + cursor.close(); + } + // start the DownloadService class. don't wait for the 1st download to be issued. // saves us by getting some initialization code in DownloadService out of the way. Context context = getContext(); @@ -687,6 +700,7 @@ public final class DownloadProvider extends ContentProvider { } insertRequestHeaders(db, rowID, values); + grantAllDownloadsPermission(rowID, Binder.getCallingUid()); notifyContentChanged(uri, match); // Always start service to handle notifications and/or scanning @@ -1193,6 +1207,7 @@ public final class DownloadProvider extends ContentProvider { try { while (cursor.moveToNext()) { final long id = cursor.getLong(0); + revokeAllDownloadsPermission(id); DownloadStorageProvider.onDownloadProviderDelete(getContext(), id); final String path = cursor.getString(1); @@ -1232,6 +1247,19 @@ public final class DownloadProvider extends ContentProvider { logVerboseOpenFileInfo(uri, mode); } + // Perform normal query to enforce caller identity access before + // clearing it to reach internal-only columns + final Cursor probeCursor = query(uri, new String[] { + Downloads.Impl._DATA }, null, null, null); + try { + if ((probeCursor == null) || (probeCursor.getCount() == 0)) { + throw new FileNotFoundException( + "No file found for " + uri + " as UID " + Binder.getCallingUid()); + } + } finally { + IoUtils.closeQuietly(probeCursor); + } + final Cursor cursor = queryCleared(uri, new String[] { Downloads.Impl._DATA, Downloads.Impl.COLUMN_STATUS, Downloads.Impl.COLUMN_DESTINATION, Downloads.Impl.COLUMN_MEDIA_SCANNED }, null, @@ -1407,4 +1435,20 @@ public final class DownloadProvider extends ContentProvider { to.put(key, defaultValue); } } + + private void grantAllDownloadsPermission(long id, int uid) { + final String[] packageNames = getContext().getPackageManager().getPackagesForUid(uid); + if (packageNames == null || packageNames.length == 0) return; + + // We only need to grant to the first package, since the + // platform internally tracks based on UIDs + final Uri uri = ContentUris.withAppendedId(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, id); + getContext().grantUriPermission(packageNames[0], uri, + Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION); + } + + private void revokeAllDownloadsPermission(long id) { + final Uri uri = ContentUris.withAppendedId(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, id); + getContext().revokeUriPermission(uri, ~0); + } } |