From 2dfe92c2dfbaddd69dabe6e43ab77c4c204c4065 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Mon, 21 Nov 2016 10:33:54 -0700 Subject: [PATCH] No direct Uri grants from system. The system should never be extending Uri permission grants from itself, since it automatically holds all the permissions. Instead, the system should always be a mediator between two specific app, and it should be using startActivityAsCaller() if it needs to extend permissions. Blocking at this level fixes an entire class of confused deputy security issues. Test: builds, normal intent resolution UI works Bug: 33019296 Change-Id: Iaa57c393a386d8068e807d0dd0caccc89d8a11db --- .../java/com/android/server/am/ActivityManagerService.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index f892e52960f20..8bd75067bb94e 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -8103,7 +8103,12 @@ public class ActivityManagerService extends IActivityManager.Stub // Third... does the caller itself have permission to access // this uri? - if (UserHandle.getAppId(callingUid) != Process.SYSTEM_UID) { + final int callingAppId = UserHandle.getAppId(callingUid); + if ((callingAppId == Process.SYSTEM_UID) || (callingAppId == Process.ROOT_UID)) { + Slog.w(TAG, "For security reasons, the system cannot issue a Uri permission" + + " grant to " + grantUri + "; use startActivityAsCaller() instead"); + return -1; + } else { if (!checkHoldingPermissionsLocked(pm, pi, grantUri, callingUid, modeFlags)) { // Require they hold a strong enough Uri permission if (!checkUriPermissionLocked(grantUri, callingUid, modeFlags)) {