commit 52a8de79e7fc6820707850b69afef35c11ae8d67
author “Ayush <ayushsha@google.com> Thu Aug 05 09:25:00 2021 +0000
committer Ayush Sharma <ayushsha@google.com> Tue Sep 07 11:54:59 2021 +0000
tree 74b31c3ada476e9809cbf8d6096b2f53e0399a1e
parent 9ca7052183e8400a344e5e24d60178c1aa420bd0

Add check to verify package belongs to caller

To fix security vulnerability mentioned in bug b/192587406, Add check to
verify that package that is being queried belongs to the caller.

Bug: 192587406
Test: atest AccessSerialNumberTest
atest DeviceOwnerTest#testDeviceOwnerCanGetDeviceIdentifiers
atest MixedDeviceOwnerTest#testEnrollmentSpecificIdCorrectCalculation
atest MixedProfileOwnerTest#testEnrollmentSpecificIdCorrectCalculation
atest MixedManagedProfileOwnerTest#testEnrollmentSpecificIdCorrectCalculation

Change-Id: I343b847ae3e070201a7ac93ad88ceb2e47e829b2
Merged-In: I343b847ae3e070201a7ac93ad88ceb2e47e829b2
(cherry picked from commit fd5b4bcb54f7fddf12768adaa97b55146b4387ce)

services/core/java/com/android/server/os/DeviceIdentifiersPolicyService.java

diff --git a/services/core/java/com/android/server/os/DeviceIdentifiersPolicyService.java b/services/core/java/com/android/server/os/DeviceIdentifiersPolicyService.java
index 947405e..b276c6f 100644
--- a/services/core/java/com/android/server/os/DeviceIdentifiersPolicyService.java
+++ b/services/core/java/com/android/server/os/DeviceIdentifiersPolicyService.java
@@ -19,10 +19,13 @@
 import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.content.Context;
+import android.content.pm.PackageManager;
+import android.os.Binder;
 import android.os.Build;
 import android.os.IDeviceIdentifiersPolicyService;
 import android.os.RemoteException;
 import android.os.SystemProperties;
+import android.os.UserHandle;
 
 import com.android.internal.telephony.TelephonyPermissions;
 import com.android.server.SystemService;
@@ -65,11 +68,31 @@
         @Override
         public @Nullable String getSerialForPackage(String callingPackage,
                 String callingFeatureId) throws RemoteException {
+            if (!checkPackageBelongsToCaller(callingPackage)) {
+                throw new IllegalArgumentException(
+                        "Invalid callingPackage or callingPackage does not belong to caller's uid:"
+                                + Binder.getCallingUid());
+            }
+
             if (!TelephonyPermissions.checkCallingOrSelfReadDeviceIdentifiers(mContext,
                     callingPackage, callingFeatureId, "getSerial")) {
                 return Build.UNKNOWN;
             }
             return SystemProperties.get("ro.serialno", Build.UNKNOWN);
         }
+
+        private boolean checkPackageBelongsToCaller(String callingPackage) {
+            int callingUid = Binder.getCallingUid();
+            int callingUserId = UserHandle.getUserId(callingUid);
+            int callingPackageUid;
+            try {
+                callingPackageUid = mContext.getPackageManager().getPackageUidAsUser(
+                        callingPackage, callingUserId);
+            } catch (PackageManager.NameNotFoundException e) {
+                return false;
+            }
+
+            return callingPackageUid == callingUid;
+        }
     }
 }