DO NOT MERGE Check permissions for URL_SIMINFO
Check permissions if the query is attempting to access URL_SIMINFO,
since it contains sensitive IDs.
Test: atest android.provider.cts.TelephonyProviderTest
Bug: 140622024
Change-Id: Ibcf4cf01a965b5c91aebf65adc98110ba3be89f6
(cherry picked from commit 6bdd858706c8fbe60a3a4b3a3bde80efa24ba157)
diff --git a/src/com/android/providers/telephony/TelephonyProvider.java b/src/com/android/providers/telephony/TelephonyProvider.java
index adf3bba..8963559 100644
--- a/src/com/android/providers/telephony/TelephonyProvider.java
+++ b/src/com/android/providers/telephony/TelephonyProvider.java
@@ -2552,6 +2552,9 @@
// null returns all columns, so need permission check
checkPermission();
}
+ } else {
+ // For the sim_info table, we only require READ_PHONE_STATE
+ checkReadSimInfoPermission();
}
SQLiteDatabase db = getReadableDatabase();
@@ -3213,6 +3216,23 @@
throw new SecurityException("No permission to write APN settings");
}
+ private void checkReadSimInfoPermission() {
+ try {
+ // Even if the caller doesn't have READ_PHONE_STATE, we'll let them access sim_info as
+ // long as they have the more restrictive write_apn_settings or carrier priv.
+ checkPermission();
+ return;
+ } catch (SecurityException e) {
+ int status = getContext().checkCallingOrSelfPermission(
+ "android.permission.READ_PHONE_STATE");
+ if (status == PackageManager.PERMISSION_GRANTED) {
+ return;
+ }
+ EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
+ throw new SecurityException("No READ_PHONE_STATE permission");
+ }
+ }
+
private DatabaseHelper mOpenHelper;
private void restoreDefaultAPN(int subId) {