[DO NOT MERGE] Check caller's uid in backupAgentCreated callback

AM.backupAgentCreated() should enforce that caller belongs the package called in the API. Bug: 289549315 Test: atest android.security.cts.ActivityManagerTest#testActivityManager_backupAgentCreated_rejectIfCallerUidNotEqualsPackageUid (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ff4b0f29e5bcaea805fd5106c8f6353cdc92123d) Merged-In: I9f3ae5ec0b8f00e020d471cc0eddf8bd8bdbb82d Change-Id: I9f3ae5ec0b8f00e020d471cc0eddf8bd8bdbb82d
author: Piyush Mehrotra <piee@google.com> 2023-07-27 19:35:14 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-09-11 17:13:26 +0000
commit: a16f46f4bfcba55d931c0b6bd9d57580cab674a2 (patch)
tree: c1fe5be6a14e84e73fbbe7286a572b1cdfc6890c
parent: 248bde5d67780c615c6b9cae0af0a93d37ed260d (diff)
1 files changed, 21 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index ba0aaa1b7d8c..13953d873c0f 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -2982,6 +2982,22 @@ public class ActivityManagerService extends IActivityManager.Stub
         }
     }
 
+    /**
+     * Enforces that the uid of the caller matches the uid of the package.
+     *
+     * @param packageName the name of the package to match uid against.
+     * @param callingUid the uid of the caller.
+     * @throws SecurityException if the calling uid doesn't match uid of the package.
+     */
+    private void enforceCallingPackage(String packageName, int callingUid) {
+        final int userId = UserHandle.getUserId(callingUid);
+        final int packageUid = getPackageManagerInternal().getPackageUid(packageName,
+                /*flags=*/ 0, userId);
+        if (packageUid != callingUid) {
+            throw new SecurityException(packageName + " does not belong to uid " + callingUid);
+        }
+    }
+
     @Override
     public void setPackageScreenCompatMode(String packageName, int mode) {
         mActivityTaskManager.setPackageScreenCompatMode(packageName, mode);
@@ -12951,13 +12967,16 @@ public class ActivityManagerService extends IActivityManager.Stub
     // A backup agent has just come up
     @Override
     public void backupAgentCreated(String agentPackageName, IBinder agent, int userId) {
+        final int callingUid = Binder.getCallingUid();
+        enforceCallingPackage(agentPackageName, callingUid);
+
         // Resolve the target user id and enforce permissions.
-        userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
+        userId = mUserController.handleIncomingUser(Binder.getCallingPid(), callingUid,
                 userId, /* allowAll */ false, ALLOW_FULL_ONLY, "backupAgentCreated", null);
         if (DEBUG_BACKUP) {
             Slog.v(TAG_BACKUP, "backupAgentCreated: " + agentPackageName + " = " + agent
                     + " callingUserId = " + UserHandle.getCallingUserId() + " userId = " + userId
-                    + " callingUid = " + Binder.getCallingUid() + " uid = " + Process.myUid());
+                    + " callingUid = " + callingUid + " uid = " + Process.myUid());
         }
 
         synchronized(this) {
author	Piyush Mehrotra <piee@google.com>	2023-07-27 19:35:14 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-09-11 17:13:26 +0000
commit	a16f46f4bfcba55d931c0b6bd9d57580cab674a2 (patch)
tree	c1fe5be6a14e84e73fbbe7286a572b1cdfc6890c
parent	248bde5d67780c615c6b9cae0af0a93d37ed260d (diff)