Force loading of safe labels in system_server.

It's too easy for code to accidentally use loadLabel() when building strings for security sensitive contexts, so add ability for a process to always force loading of safe strings. Test: builds, boots Bug: 73657770 Change-Id: I1c7645bd7bebed0cfb6bc3e5bfd36c8cb11d4838
2018-02-27 14:38:04 -07:00
parent d0f517b9df
commit b0613dceb0
2 changed files with 22 additions and 2 deletions
--- a/core/java/android/content/pm/PackageItemInfo.java
+++ b/core/java/android/content/pm/PackageItemInfo.java
@@ -43,6 +43,14 @@ import java.util.Comparator;
 */
 public class PackageItemInfo {
    private static final float MAX_LABEL_SIZE_PX = 500f;
+
+    private static volatile boolean sForceSafeLabels = false;
+
+    /** {@hide} */
+    public static void setForceSafeLabels(boolean forceSafeLabels) {
+        sForceSafeLabels = forceSafeLabels;
+    }
+
    /**
     * Public name of this item. From the "android:name" attribute.
     */
@@ -128,7 +136,16 @@ public class PackageItemInfo {
     * @return Returns a CharSequence containing the item's label.  If the
     * item does not have a label, its name is returned.
     */
-    public CharSequence loadLabel(PackageManager pm) {
+    public @NonNull CharSequence loadLabel(@NonNull PackageManager pm) {
+        if (sForceSafeLabels) {
+            return loadSafeLabel(pm);
+        } else {
+            return loadUnsafeLabel(pm);
+        }
+    }
+
+    /** {@hide} */
+    public CharSequence loadUnsafeLabel(PackageManager pm) {
        if (nonLocalizedLabel != null) {
            return nonLocalizedLabel;
        }
@@ -163,7 +180,7 @@ public class PackageItemInfo {
    @SystemApi
    public @NonNull CharSequence loadSafeLabel(@NonNull PackageManager pm) {
        // loadLabel() always returns non-null
-        String label = loadLabel(pm).toString();
+        String label = loadUnsafeLabel(pm).toString();
        // strip HTML tags to avoid <br> and other tags overwriting original message
        String labelStr = Html.fromHtml(label).toString();

--- a/services/java/com/android/server/SystemServer.java
+++ b/services/java/com/android/server/SystemServer.java
@@ -23,6 +23,7 @@ import android.content.ComponentName;
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.Intent;
+import android.content.pm.PackageItemInfo;
 import android.content.pm.PackageManager;
 import android.content.res.Configuration;
 import android.content.res.Resources.Theme;
@@ -331,6 +332,8 @@ public final class SystemServer {

            // The system server should never make non-oneway calls
            Binder.setWarnOnBlocking(true);
+            // The system server should always load safe labels
+            PackageItemInfo.setForceSafeLabels(true);
            // Deactivate SQLiteCompatibilityWalFlags until settings provider is initialized
            SQLiteCompatibilityWalFlags.init(null);