commit 05cd832c241a543feb3a833e75b56c6f253b05e9
author Hui Yu <huiyu@google.com> Sat May 07 21:43:23 2022 -0700
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Sat Jun 11 16:36:52 2022 +0000
tree 52a20e89b3f6375542a3fe93407878dae7aa06c5
parent 627dcb8bdbff6c43fd5f41d2c7adc464884b3a64

Make sure callingPackage belongs to callingUid when checking BG-FGS restrictions.

This is to stop spoofed packageName to pretend to be allowListed
packageName so it can bypass the BG-FGS restriction. This applies to
both BG-FGS while-in-use restriction and BG-FGS-start restriction
since these two restrictions are related.

Bug: 216695100
Bug: 215003903
Test: atest cts/tests/app/src/android/app/cts/ActivityManagerFgsBgStartTest.java#testSpoofPackageName
Change-Id: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89
(cherry picked from commit eef20391ce4d15d4508dc295cb338954a7c69de7)
Merged-In: Ic14fc331a9b5fbdbcfe6e54a31c8b765513bfd89

services/core/java/com/android/server/am/ActiveServices.java

diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
index a2fec27..49bfd4d 100644
--- a/services/core/java/com/android/server/am/ActiveServices.java
+++ b/services/core/java/com/android/server/am/ActiveServices.java
@@ -5992,10 +5992,16 @@
         }
 
         if (ret == REASON_DENIED) {
-            final boolean isAllowedPackage =
-                    mAllowListWhileInUsePermissionInFgs.contains(callingPackage);
-            if (isAllowedPackage) {
-                ret = REASON_ALLOWLISTED_PACKAGE;
+            if (verifyPackage(callingPackage, callingUid)) {
+                final boolean isAllowedPackage =
+                        mAllowListWhileInUsePermissionInFgs.contains(callingPackage);
+                if (isAllowedPackage) {
+                    ret = REASON_ALLOWLISTED_PACKAGE;
+                }
+            } else {
+                EventLog.writeEvent(0x534e4554, "215003903", callingUid,
+                        "callingPackage:" + callingPackage + " does not belong to callingUid:"
+                                + callingUid);
             }
         }
 
@@ -6378,4 +6384,21 @@
                 /* allowBackgroundActivityStarts */ false)
                 != REASON_DENIED;
     }
+
+    /**
+     * Checks if a given packageName belongs to a given uid.
+     * @param packageName the package of the caller
+     * @param uid the uid of the caller
+     * @return true or false
+     */
+    private boolean verifyPackage(String packageName, int uid) {
+        if (uid == ROOT_UID || uid == SYSTEM_UID) {
+            //System and Root are always allowed
+            return true;
+        }
+        final int userId = UserHandle.getUserId(uid);
+        final int packageUid = mAm.getPackageManagerInternal()
+                .getPackageUid(packageName, PackageManager.MATCH_DEBUG_TRIAGED_MISSING, userId);
+        return UserHandle.isSameApp(uid, packageUid);
+    }
 }