commit 609ee4daf84fc3f03fd755d00bbbcb147c36e8b2
author Shuo Qian <shuoq@google.com> Mon May 10 23:55:53 2021 -0700
committer Shuo Qian <shuoq@google.com> Thu May 20 21:02:46 2021 +0000
tree 07d0a4b568ca84b59e50a19feea80229b357c989
parent 2f046ed900a90ae25b6accfb5f2056a3d30ea0f7

Fix security issue that app can query which applications are installed on the device without requiring QUERY_ALL_PACKAGES in `getDeviceId` method of `PhoneSubInfoController` class

Test: Manual verified with Test app; Safety net log added
Bug: 185591180

Change-Id: Iff04a59a4ebfc842818960aea930dda2b86b1973

src/java/com/android/internal/telephony/PhoneSubInfoController.java

diff --git a/src/java/com/android/internal/telephony/PhoneSubInfoController.java b/src/java/com/android/internal/telephony/PhoneSubInfoController.java
index 8db71d9..36ed749 100644
--- a/src/java/com/android/internal/telephony/PhoneSubInfoController.java
+++ b/src/java/com/android/internal/telephony/PhoneSubInfoController.java
@@ -23,6 +23,7 @@
 
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.app.AppOpsManager;
 import android.compat.annotation.UnsupportedAppUsage;
 import android.content.Context;
 import android.content.pm.PackageManager;
@@ -35,6 +36,7 @@
 import android.telephony.PhoneNumberUtils;
 import android.telephony.SubscriptionManager;
 import android.telephony.TelephonyFrameworkInitializer;
+import android.util.EventLog;
 
 import com.android.internal.telephony.uicc.IsimRecords;
 import com.android.internal.telephony.uicc.UiccCard;
@@ -48,6 +50,7 @@
 
     @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
     private final Context mContext;
+    private AppOpsManager mAppOps;
 
     public PhoneSubInfoController(Context context) {
         ServiceRegisterer phoneSubServiceRegisterer = TelephonyFrameworkInitializer
@@ -56,6 +59,7 @@
         if (phoneSubServiceRegisterer.get() == null) {
             phoneSubServiceRegisterer.register(this);
         }
+        mAppOps = context.getSystemService(AppOpsManager.class);
         mContext = context;
     }
 
@@ -71,6 +75,7 @@
 
     public String getDeviceIdForPhone(int phoneId, String callingPackage,
             String callingFeatureId) {
+        enforceCallingPackageUidMatched(callingPackage);
         return callPhoneMethodForPhoneIdWithReadDeviceIdentifiersCheck(phoneId, callingPackage,
                 callingFeatureId, "getDeviceId", (phone) -> phone.getDeviceId());
     }
@@ -265,6 +270,15 @@
         return PhoneFactory.getPhone(phoneId);
     }
 
+    private void enforceCallingPackageUidMatched(String callingPackage) {
+        try {
+            mAppOps.checkPackage(Binder.getCallingUid(), callingPackage);
+        } catch (SecurityException se) {
+            EventLog.writeEvent(0x534e4554, "188677422", Binder.getCallingUid());
+            throw se;
+        }
+    }
+
     private boolean enforceIccSimChallengeResponsePermission(Context context, int subId,
             String callingPackage, String callingFeatureId, String message) {
         if (TelephonyPermissions.checkCallingOrSelfUseIccAuthWithDeviceIdentifier(context,