Extra security checks in placeCall.
When adding self-managed calls, ensure that the package of the caller
matches the package for the outgoing call phone account, unless the
caller is able to place calls.
This means a self-managed CS can ONLY place calls for its own CS.
However, the default dialer, or other call capable apps (e.g. Auto) can
still place calls on behalf of a self-managed CS.
Test: Created standalone test app to verify cases.
Bug: 38377651
Change-Id: I568b5131ff640ed66c094afae665630772956a17
diff --git a/src/com/android/server/telecom/TelecomServiceImpl.java b/src/com/android/server/telecom/TelecomServiceImpl.java
index 40ba21d..b333213 100644
--- a/src/com/android/server/telecom/TelecomServiceImpl.java
+++ b/src/com/android/server/telecom/TelecomServiceImpl.java
@@ -996,6 +996,10 @@
android.Manifest.permission.MANAGE_OWN_CALLS,
"Self-managed phone accounts must have MANAGE_OWN_CALLS " +
"permission.");
+
+ // Self-managed ConnectionServices can ONLY add new incoming calls
+ // using their own PhoneAccounts. The checkPackage(..) app opps
+ // check above ensures this.
}
}
long token = Binder.clearCallingIdentity();
@@ -1086,6 +1090,16 @@
if (isSelfManaged) {
mContext.enforceCallingOrSelfPermission(Manifest.permission.MANAGE_OWN_CALLS,
"Self-managed ConnectionServices require MANAGE_OWN_CALLS permission.");
+
+ if (!callingPackage.equals(
+ phoneAccountHandle.getComponentName().getPackageName())
+ && !canCallPhone(callingPackage,
+ "CALL_PHONE permission required to place calls.")) {
+ // The caller is not allowed to place calls, so we want to ensure that it
+ // can only place calls through itself.
+ throw new SecurityException("Self-managed ConnectionServices can only "
+ + "place calls through their own ConnectionService.");
+ }
} else if (!canCallPhone(callingPackage, "placeCall")) {
throw new SecurityException("Package " + callingPackage
+ " is not allowed to place phone calls");