diff options
| author | Rubin Xu <rubinxu@google.com> | 2021-03-02 15:27:51 +0000 |
|---|---|---|
| committer | Rubin Xu <rubinxu@google.com> | 2022-03-24 14:54:42 +0000 |
| commit | f62904fd707b5b8999e44428f50690d0ee09cd5a (patch) | |
| tree | aebcfc8f4196e5fb422c7e30fef719fe72dda4a7 /core | |
| parent | 23d65f1d38ae0e5fcb0beb4e38f451c908b55019 (diff) | |
Secure REMOTE_BUGREPORT_DISPATCH
In remote bugreport collection, Shell sends REMOTE_BUGREPORT_DISPATCH to
DevicePolicyManagerService which in turn notifies Device Owners that a
bug report is ready for collection. There existed a threat where a
malicous user could spoof the REMOTE_BUGREPORT_DISPATCH broadcast via
ADB to send a crafted bugreport to the Device Owner. Securing
REMOTE_BUGREPORT_DISPATCH is not as easy as it appears: putting a
permission on REMOTE_BUGREPORT_DISPATCH does not work since both the
legitimate sender and the malicious user are UID_SHELL. Instead, we
introduces a nonce which was sent from DPMS to Shell when bugreport is
triggered, and DPM will only accept REMOTE_BUGREPORT_DISPATCH when
a matching nonce is seen.
Ignore-AOSP-First: security fix
Bug: 171495100
Test: atest DeviceOwnerTest#testRemoteBugreportWithTwoUsers
Test: atest DeviceOwnerTest#testAdminActionBookkeeping
Test: atest BugreportManagerTest
Change-Id: I7649b4f22b74647d152d76bb46d5ca70bfa3617d
Merged-In: I7649b4f22b74647d152d76bb46d5ca70bfa3617d
(cherry picked from commit a4131c50d07c7b58c496bd82b9ab3389b6721654)
Diffstat (limited to 'core')
| -rw-r--r-- | core/java/android/app/IActivityManager.aidl | 2 | ||||
| -rw-r--r-- | core/java/android/app/admin/DevicePolicyManager.java | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/core/java/android/app/IActivityManager.aidl b/core/java/android/app/IActivityManager.aidl index 64a9c441c57f..9e23b5fa692b 100644 --- a/core/java/android/app/IActivityManager.aidl +++ b/core/java/android/app/IActivityManager.aidl @@ -438,7 +438,7 @@ interface IActivityManager { void requestInteractiveBugReport(); void requestFullBugReport(); - void requestRemoteBugReport(); + void requestRemoteBugReport(long nonce); boolean launchBugReportHandlerApp(); List<String> getBugreportWhitelistedPackages(); diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index a37979a2417f..ff072c268449 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -497,6 +497,14 @@ public class DevicePolicyManager { "android.intent.extra.REMOTE_BUGREPORT_HASH"; /** + * Extra for shared bugreport's nonce in long integer type. + * + * @hide + */ + public static final String EXTRA_REMOTE_BUGREPORT_NONCE = + "android.intent.extra.REMOTE_BUGREPORT_NONCE"; + + /** * Extra for remote bugreport notification shown type. * * @hide |