Merge cherrypicks of [2315914, 2315916, 2315837, 2315963, 2315918, 2315814, 2315983, 2315964, 2316107, 2316086, 2316109, 2315977, 2316145, 2316016, 2316110, 2316221, 2316088, 2316210, 2316242, 2316222, 2316075, 2316076, 2316077, 2316089, 2316243, 2316183, 2316078, 2316112, 2316211, 2316149, 2316113, 2316212, 2316151, 2316215, 2316131, 2316115, 2316245, 2316216, 2316116, 2316217, 2316279, 2316186, 2316187, 2316246, 2316247, 2316249, 2316218, 2316092, 2316094, 2316323, 2316360, 2316379] into nyc-mr1-security-a-release
Change-Id: Ieff1a644fccc58ff74be5628ff4c9f658f7338bf
diff --git a/src/com/android/providers/downloads/DownloadProvider.java b/src/com/android/providers/downloads/DownloadProvider.java
index 7297558..e95eb50 100644
--- a/src/com/android/providers/downloads/DownloadProvider.java
+++ b/src/com/android/providers/downloads/DownloadProvider.java
@@ -473,17 +473,42 @@
final SQLiteDatabase db = mOpenHelper.getReadableDatabase();
final Cursor cursor = db.query(DB_TABLE, new String[] {
Downloads.Impl._ID, Constants.UID }, null, null, null, null, null);
+ final ArrayList<Long> idsToDelete = new ArrayList<>();
try {
while (cursor.moveToNext()) {
- grantAllDownloadsPermission(cursor.getLong(0), cursor.getInt(1));
+ final long downloadId = cursor.getLong(0);
+ final int uid = cursor.getInt(1);
+ final String ownerPackage = getPackageForUid(uid);
+ if (ownerPackage == null) {
+ idsToDelete.add(downloadId);
+ } else {
+ grantAllDownloadsPermission(ownerPackage, downloadId);
+ }
}
} finally {
cursor.close();
}
-
+ if (idsToDelete.size() > 0) {
+ Log.i(Constants.TAG,
+ "Deleting downloads with ids " + idsToDelete + " as owner package is missing");
+ deleteDownloadsWithIds(idsToDelete);
+ }
return true;
}
+ private void deleteDownloadsWithIds(ArrayList<Long> downloadIds) {
+ final int N = downloadIds.size();
+ if (N == 0) {
+ return;
+ }
+ final StringBuilder queryBuilder = new StringBuilder(Downloads.Impl._ID + " in (");
+ for (int i = 0; i < N; i++) {
+ queryBuilder.append(downloadIds.get(i));
+ queryBuilder.append((i == N - 1) ? ")" : ",");
+ }
+ delete(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, queryBuilder.toString(), null);
+ }
+
/**
* Returns the content-provider-style MIME types of the various
* types accessible through this content provider.
@@ -703,7 +728,13 @@
}
insertRequestHeaders(db, rowID, values);
- grantAllDownloadsPermission(rowID, Binder.getCallingUid());
+
+ final String callingPackage = getPackageForUid(Binder.getCallingUid());
+ if (callingPackage == null) {
+ Log.e(Constants.TAG, "Package does not exist for calling uid");
+ return null;
+ }
+ grantAllDownloadsPermission(callingPackage, rowID);
notifyContentChanged(uri, match);
final long token = Binder.clearCallingIdentity();
@@ -722,6 +753,15 @@
return ContentUris.withAppendedId(Downloads.Impl.CONTENT_URI, rowID);
}
+ private String getPackageForUid(int uid) {
+ String[] packages = getContext().getPackageManager().getPackagesForUid(uid);
+ if (packages == null || packages.length == 0) {
+ return null;
+ }
+ // For permission related purposes, any package belonging to the given uid should work.
+ return packages[0];
+ }
+
/**
* Check that the file URI provided for DESTINATION_FILE_URI is valid.
*/
@@ -1499,14 +1539,9 @@
}
}
- private void grantAllDownloadsPermission(long id, int uid) {
- final String[] packageNames = getContext().getPackageManager().getPackagesForUid(uid);
- if (packageNames == null || packageNames.length == 0) return;
-
- // We only need to grant to the first package, since the
- // platform internally tracks based on UIDs
+ private void grantAllDownloadsPermission(String toPackage, long id) {
final Uri uri = ContentUris.withAppendedId(Downloads.Impl.ALL_DOWNLOADS_CONTENT_URI, id);
- getContext().grantUriPermission(packageNames[0], uri,
+ getContext().grantUriPermission(toPackage, uri,
Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
}