Google Git
Sign in
android / platform / packages / providers / TelephonyProvider / refs/tags/android-security-9.0.0_r76^! / .
commit5cc678de4be4c0bd26868dfcd5bc28bd6c0c188e[log] [tgz]
authorHall Liu <hallliu@google.com>Mon Dec 16 11:30:53 2019 -0800
committerGreg Wroblewski <musashi@google.com>Fri Jan 10 14:54:18 2020 -0800
tree4cc7f8eb085692866e61fdc451331537efc88503
parent3568b9676b108d7932873ca8239c01cc1e5ff8bf [diff]
DO NOT MERGE Check permissions for URL_SIMINFO

Check permissions if the query is attempting to access URL_SIMINFO,
since it contains sensitive IDs.

Test: atest android.provider.cts.TelephonyProviderTest
Bug: 140622024
Change-Id: Ibcf4cf01a965b5c91aebf65adc98110ba3be89f6
(cherry picked from commit 6bdd858706c8fbe60a3a4b3a3bde80efa24ba157)

diff --git a/src/com/android/providers/telephony/TelephonyProvider.java b/src/com/android/providers/telephony/TelephonyProvider.java
index adf3bba..8963559 100644
--- a/src/com/android/providers/telephony/TelephonyProvider.java
+++ b/src/com/android/providers/telephony/TelephonyProvider.java

@@ -2552,6 +2552,9 @@
                 // null returns all columns, so need permission check
                 checkPermission();
             }
+        } else {
+            // For the sim_info table, we only require READ_PHONE_STATE
+            checkReadSimInfoPermission();
         }
 
         SQLiteDatabase db = getReadableDatabase();
@@ -3213,6 +3216,23 @@
         throw new SecurityException("No permission to write APN settings");
     }
 
+    private void checkReadSimInfoPermission() {
+        try {
+            // Even if the caller doesn't have READ_PHONE_STATE, we'll let them access sim_info as
+            // long as they have the more restrictive write_apn_settings or carrier priv.
+            checkPermission();
+            return;
+        } catch (SecurityException e) {
+            int status = getContext().checkCallingOrSelfPermission(
+                    "android.permission.READ_PHONE_STATE");
+            if (status == PackageManager.PERMISSION_GRANTED) {
+                return;
+            }
+            EventLog.writeEvent(0x534e4554, "124107808", Binder.getCallingUid());
+            throw new SecurityException("No READ_PHONE_STATE permission");
+        }
+    }
+
     private DatabaseHelper mOpenHelper;
 
     private void restoreDefaultAPN(int subId) {