Deleting downloads for removed uids on downloadprovider start After uninstalling an app, if the system was shutdown before the download provider received the broadcast for UID_REMOVED, another app installed later in the same uid might be able to gain access to the files downloaded by this app. Removing any such hanging downloads at the start up of the download provider should fix this issue. Test: Manually tested by uninstalling an app and killing and restarting the process android.process.media, to check that the downloaded files of the uninstalled app were deleted. Bug:22011579 Merged-In: I7382c4846f99035b40412a01715aee5873efa9e6 Change-Id: I7382c4846f99035b40412a01715aee5873efa9e6 (cherry picked from commit e21ad54b4ccaaca95f019fb7fdec6409904bf3b1)

commit: 1a49568d76aa0d1acb6e3423762fd95af44f57d7 [log] [tgz]
author: Suprabh Shukla <suprabh@google.com> Mon Feb 27 15:56:11 2017 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> Thu Jun 08 18:24:29 2017 +0000
tree: 87b95f8ac852a24ebffbc76ec10ce712a16f861e
parent: 2ffc370c4c19b4a705819242612bc9b3278c1b51 [diff]
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 13ab545..7f014ad 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java

@@ -467,13 +467,26 @@
         final SQLiteDatabase db = mOpenHelper.getReadableDatabase();
         final Cursor cursor = db.query(DB_TABLE, new String[] {
                 Downloads.Impl._ID, Constants.UID }, null, null, null, null, null);
+        final ArrayList<Long> idsToDelete = new ArrayList<>();
         try {
             while (cursor.moveToNext()) {
-                grantAllDownloadsPermission(cursor.getLong(0), cursor.getInt(1));
+                final long downloadId = cursor.getLong(0);
+                final int uid = cursor.getInt(1);
+                final String ownerPackage = getPackageForUid(uid);
+                if (ownerPackage == null) {
+                    idsToDelete.add(downloadId);
+                } else {
+                    grantAllDownloadsPermission(ownerPackage, downloadId);
+                }
             }
         } finally {
             cursor.close();
         }
+        if (idsToDelete.size() > 0) {
+            Log.i(Constants.TAG,
+                    "Deleting downloads with ids " + idsToDelete + " as owner package is missing");
+            deleteDownloadsWithIds(idsToDelete);
+        }
 
         // start the DownloadService class. don't wait for the 1st download to be issued.
         // saves us by getting some initialization code in DownloadService out of the way.
@@ -482,6 +495,19 @@
         return true;
     }
 
+    private void deleteDownloadsWithIds(ArrayList<Long> downloadIds) {
+        final int N = downloadIds.size();
+        if (N == 0) {
+            return;
+        }
+        final StringBuilder queryBuilder = new StringBuilder(Downloads.Impl._ID + " in (");
+        for (int i = 0; i < N; i++) {
+            queryBuilder.append(downloadIds.get(i));
+            queryBuilder.append((i == N - 1) ? ")" : ",");
+        }
+        delete(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, queryBuilder.toString(), null);
+    }
+
     /**
      * Returns the content-provider-style MIME types of the various
      * types accessible through this content provider.
@@ -700,7 +726,13 @@
         }
 
         insertRequestHeaders(db, rowID, values);
-        grantAllDownloadsPermission(rowID, Binder.getCallingUid());
+
+        final String callingPackage = getPackageForUid(Binder.getCallingUid());
+        if (callingPackage == null) {
+            Log.e(Constants.TAG, "Package does not exist for calling uid");
+            return null;
+        }
+        grantAllDownloadsPermission(callingPackage, rowID);
         notifyContentChanged(uri, match);
 
         // Always start service to handle notifications and/or scanning
@@ -710,6 +742,15 @@
         return ContentUris.withAppendedId(Downloads.Impl.CONTENT_URI, rowID);
     }
 
+    private String getPackageForUid(int uid) {
+        String[] packages = getContext().getPackageManager().getPackagesForUid(uid);
+        if (packages == null || packages.length == 0) {
+            return null;
+        }
+        // For permission related purposes, any package belonging to the given uid should work.
+        return packages[0];
+    }
+
     /**
      * Check that the file URI provided for DESTINATION_FILE_URI is valid.
      */
@@ -1442,14 +1483,9 @@
         }
     }
 
-    private void grantAllDownloadsPermission(long id, int uid) {
-        final String[] packageNames = getContext().getPackageManager().getPackagesForUid(uid);
-        if (packageNames == null || packageNames.length == 0) return;
-
-        // We only need to grant to the first package, since the
-        // platform internally tracks based on UIDs
+    private void grantAllDownloadsPermission(String toPackage, long id) {
         final Uri uri = ContentUris.withAppendedId(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, id);
-        getContext().grantUriPermission(packageNames[0], uri,
+        getContext().grantUriPermission(toPackage, uri,
                 Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
     }
commit	1a49568d76aa0d1acb6e3423762fd95af44f57d7	[log] [tgz]
author	Suprabh Shukla <suprabh@google.com>	Mon Feb 27 15:56:11 2017 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Thu Jun 08 18:24:29 2017 +0000
tree	87b95f8ac852a24ebffbc76ec10ce712a16f861e
parent	2ffc370c4c19b4a705819242612bc9b3278c1b51 [diff]