Enforce the permission and the owner rights earlier Move the check to the early section of the method to secure the validity. Bug: 188219307 Test: atest PackageManagerServiceHibernationTests Test: atest -p services/core/java/com/android/server/am Test: atest -p services/core/java/com/android/server/pm Test: manually using the PoC in the buganizer to ensure the symptom no longer exists. Change-Id: I49c456da65cb2befbf5c435e5febcdd9434be684

commit: 44a4529285f514c7cdbe0777004e853503399c35 [log] [tgz]
author: Jackal Guo <jackalguo@google.com> Thu Jun 10 15:33:59 2021 +0800
committer: Jackal Guo <jackalguo@google.com> Thu Jun 10 17:13:56 2021 +0800
tree: e9465c9a9368bd00d353e1b4b1c8c63cdee1207f
parent: bbece8611523b02033052ad1345a9c909a83661a [diff]
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c812fc8..67d10afe 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java

@@ -23984,6 +23984,13 @@
         final int permission = mContext.checkCallingOrSelfPermission(
                 android.Manifest.permission.CHANGE_COMPONENT_ENABLED_STATE);
         final boolean allowedByPermission = (permission == PackageManager.PERMISSION_GRANTED);
+        if (!allowedByPermission
+                && !ArrayUtils.contains(getPackagesForUid(callingUid), packageName)) {
+            throw new SecurityException(
+                    "Permission Denial: attempt to change stopped state from pid="
+                            + Binder.getCallingPid()
+                            + ", uid=" + callingUid + ", package=" + packageName);
+        }
         enforceCrossUserPermission(callingUid, userId, true /* requireFullPermission */,
                 true /* checkShell */, "stop package");
         boolean shouldUnhibernate = false;
@@ -23994,8 +24001,7 @@
                 shouldUnhibernate = true;
             }
             if (!shouldFilterApplicationLocked(ps, callingUid, userId)
-                    && mSettings.setPackageStoppedStateLPw(this, packageName, stopped,
-                            allowedByPermission, callingUid, userId)) {
+                    && mSettings.setPackageStoppedStateLPw(this, packageName, stopped, userId)) {
                 scheduleWritePackageRestrictionsLocked(userId);
             }
         }

diff --git a/services/core/java/com/android/server/pm/Settings.java b/services/core/java/com/android/server/pm/Settings.java
index 4bc87a2..41a4fe1 100644
--- a/services/core/java/com/android/server/pm/Settings.java
+++ b/services/core/java/com/android/server/pm/Settings.java

@@ -4185,18 +4185,11 @@
     }
 
     boolean setPackageStoppedStateLPw(PackageManagerService pm, String packageName,
-            boolean stopped, boolean allowedByPermission, int uid, int userId) {
-        int appId = UserHandle.getAppId(uid);
+            boolean stopped, int userId) {
         final PackageSetting pkgSetting = mPackages.get(packageName);
         if (pkgSetting == null) {
             throw new IllegalArgumentException("Unknown package: " + packageName);
         }
-        if (!allowedByPermission && (appId != pkgSetting.appId)) {
-            throw new SecurityException(
-                    "Permission Denial: attempt to change stopped state from pid="
-                    + Binder.getCallingPid()
-                    + ", uid=" + uid + ", package uid=" + pkgSetting.appId);
-        }
         if (DEBUG_STOPPED) {
             if (stopped) {
                 RuntimeException e = new RuntimeException("here");
commit	44a4529285f514c7cdbe0777004e853503399c35	[log] [tgz]
author	Jackal Guo <jackalguo@google.com>	Thu Jun 10 15:33:59 2021 +0800
committer	Jackal Guo <jackalguo@google.com>	Thu Jun 10 17:13:56 2021 +0800
tree	e9465c9a9368bd00d353e1b4b1c8c63cdee1207f
parent	bbece8611523b02033052ad1345a9c909a83661a [diff]