RESTRICT AUTOMERGE: Trust session id only if started with ACTION_CONFIRM_INSTALL
InstallStart was reading sessionInfo whenever the starting intent had
the extra EXTRA_SESSION_ID. This could happen even if an external app
inserted a valid session id into its own REQUEST_INSTALL_PACKAGE intent.
This allows apps to potentially spoof the calling package.
Test: Existing tests pass:
atest GtsPackageInstallTestCases GtsNoPermissionTestCases \
GtsNoPermissionTestCases25
Bug: 112031362
Change-Id: Icdab1deeaf6b0afe7a61709cd87305336c467e33
diff --git a/src/com/android/packageinstaller/InstallStart.java b/src/com/android/packageinstaller/InstallStart.java
index 80691f2..1eb6de8 100644
--- a/src/com/android/packageinstaller/InstallStart.java
+++ b/src/com/android/packageinstaller/InstallStart.java
@@ -55,9 +55,14 @@
Intent intent = getIntent();
String callingPackage = getCallingPackage();
+ final boolean isSessionInstall =
+ PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction());
+
// If the activity was started via a PackageInstaller session, we retrieve the calling
// package from that session
- int sessionId = intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1);
+ final int sessionId = (isSessionInstall
+ ? intent.getIntExtra(PackageInstaller.EXTRA_SESSION_ID, -1)
+ : -1);
if (callingPackage == null && sessionId != -1) {
PackageInstaller packageInstaller = getPackageManager().getPackageInstaller();
PackageInstaller.SessionInfo sessionInfo = packageInstaller.getSessionInfo(sessionId);
@@ -100,7 +105,7 @@
nextActivity.putExtra(PackageInstallerActivity.EXTRA_ORIGINAL_SOURCE_INFO, sourceInfo);
nextActivity.putExtra(Intent.EXTRA_ORIGINATING_UID, originatingUid);
- if (PackageInstaller.ACTION_CONFIRM_PERMISSIONS.equals(intent.getAction())) {
+ if (isSessionInstall) {
nextActivity.setClass(this, PackageInstallerActivity.class);
} else {
Uri packageUri = intent.getData();