summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/com/android/providers/downloads/DownloadProvider.java44
1 files changed, 44 insertions, 0 deletions
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 2d914c4..8708413 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -458,6 +458,19 @@ public final class DownloadProvider extends ContentProvider {
if (appInfo != null) {
mDefContainerUid = appInfo.uid;
}
+
+ // Grant access permissions for all known downloads to the owning apps
+ final SQLiteDatabase db = mOpenHelper.getReadableDatabase();
+ final Cursor cursor = db.query(DB_TABLE, new String[] {
+ Downloads.Impl._ID, Constants.UID }, null, null, null, null, null);
+ try {
+ while (cursor.moveToNext()) {
+ grantAllDownloadsPermission(cursor.getLong(0), cursor.getInt(1));
+ }
+ } finally {
+ cursor.close();
+ }
+
// start the DownloadService class. don't wait for the 1st download to be issued.
// saves us by getting some initialization code in DownloadService out of the way.
Context context = getContext();
@@ -675,6 +688,7 @@ public final class DownloadProvider extends ContentProvider {
}
insertRequestHeaders(db, rowID, values);
+ grantAllDownloadsPermission(rowID, Binder.getCallingUid());
notifyContentChanged(uri, match);
// Always start service to handle notifications and/or scanning
@@ -1166,6 +1180,7 @@ public final class DownloadProvider extends ContentProvider {
try {
while (cursor.moveToNext()) {
final long id = cursor.getLong(0);
+ revokeAllDownloadsPermission(id);
DownloadStorageProvider.onDownloadProviderDelete(getContext(), id);
}
} finally {
@@ -1192,6 +1207,19 @@ public final class DownloadProvider extends ContentProvider {
logVerboseOpenFileInfo(uri, mode);
}
+ // Perform normal query to enforce caller identity access before
+ // clearing it to reach internal-only columns
+ final Cursor probeCursor = query(uri, new String[] {
+ Downloads.Impl._DATA }, null, null, null);
+ try {
+ if ((probeCursor == null) || (probeCursor.getCount() == 0)) {
+ throw new FileNotFoundException(
+ "No file found for " + uri + " as UID " + Binder.getCallingUid());
+ }
+ } finally {
+ IoUtils.closeQuietly(probeCursor);
+ }
+
final Cursor cursor = queryCleared(uri, new String[] {
Downloads.Impl._DATA, Downloads.Impl.COLUMN_STATUS,
Downloads.Impl.COLUMN_DESTINATION, Downloads.Impl.COLUMN_MEDIA_SCANNED }, null,
@@ -1373,4 +1401,20 @@ public final class DownloadProvider extends ContentProvider {
to.put(key, defaultValue);
}
}
+
+ private void grantAllDownloadsPermission(long id, int uid) {
+ final String[] packageNames = getContext().getPackageManager().getPackagesForUid(uid);
+ if (packageNames == null || packageNames.length == 0) return;
+
+ // We only need to grant to the first package, since the
+ // platform internally tracks based on UIDs
+ final Uri uri = ContentUris.withAppendedId(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, id);
+ getContext().grantUriPermission(packageNames[0], uri,
+ Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
+ }
+
+ private void revokeAllDownloadsPermission(long id) {
+ final Uri uri = ContentUris.withAppendedId(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, id);
+ getContext().revokeUriPermission(uri, ~0);
+ }
}