From b0613dceb0db9d75edc19f104af4cd198745d991 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 27 Feb 2018 14:38:04 -0700
Subject: [PATCH] Force loading of safe labels in system_server.

It's too easy for code to accidentally use loadLabel() when building
strings for security sensitive contexts, so add ability for a process
to always force loading of safe strings.

Test: builds, boots
Bug: 73657770
Change-Id: I1c7645bd7bebed0cfb6bc3e5bfd36c8cb11d4838
---
 .../android/content/pm/PackageItemInfo.java   | 21 +++++++++++++++++--
 .../java/com/android/server/SystemServer.java |  3 +++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/core/java/android/content/pm/PackageItemInfo.java b/core/java/android/content/pm/PackageItemInfo.java
index 2c0c6ad0723e0..53ffd55d55105 100644
--- a/core/java/android/content/pm/PackageItemInfo.java
+++ b/core/java/android/content/pm/PackageItemInfo.java
@@ -43,6 +43,14 @@ import java.util.Comparator;
  */
 public class PackageItemInfo {
     private static final float MAX_LABEL_SIZE_PX = 500f;
+
+    private static volatile boolean sForceSafeLabels = false;
+
+    /** {@hide} */
+    public static void setForceSafeLabels(boolean forceSafeLabels) {
+        sForceSafeLabels = forceSafeLabels;
+    }
+
     /**
      * Public name of this item. From the "android:name" attribute.
      */
@@ -128,7 +136,16 @@ public class PackageItemInfo {
      * @return Returns a CharSequence containing the item's label.  If the
      * item does not have a label, its name is returned.
      */
-    public CharSequence loadLabel(PackageManager pm) {
+    public @NonNull CharSequence loadLabel(@NonNull PackageManager pm) {
+        if (sForceSafeLabels) {
+            return loadSafeLabel(pm);
+        } else {
+            return loadUnsafeLabel(pm);
+        }
+    }
+
+    /** {@hide} */
+    public CharSequence loadUnsafeLabel(PackageManager pm) {
         if (nonLocalizedLabel != null) {
             return nonLocalizedLabel;
         }
@@ -163,7 +180,7 @@ public class PackageItemInfo {
     @SystemApi
     public @NonNull CharSequence loadSafeLabel(@NonNull PackageManager pm) {
         // loadLabel() always returns non-null
-        String label = loadLabel(pm).toString();
+        String label = loadUnsafeLabel(pm).toString();
         // strip HTML tags to avoid <br> and other tags overwriting original message
         String labelStr = Html.fromHtml(label).toString();
 
diff --git a/services/java/com/android/server/SystemServer.java b/services/java/com/android/server/SystemServer.java
index 5b5de0e94ecaf..ccfadc0eba908 100644
--- a/services/java/com/android/server/SystemServer.java
+++ b/services/java/com/android/server/SystemServer.java
@@ -23,6 +23,7 @@ import android.content.ComponentName;
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.Intent;
+import android.content.pm.PackageItemInfo;
 import android.content.pm.PackageManager;
 import android.content.res.Configuration;
 import android.content.res.Resources.Theme;
@@ -331,6 +332,8 @@ public final class SystemServer {
 
             // The system server should never make non-oneway calls
             Binder.setWarnOnBlocking(true);
+            // The system server should always load safe labels
+            PackageItemInfo.setForceSafeLabels(true);
             // Deactivate SQLiteCompatibilityWalFlags until settings provider is initialized
             SQLiteCompatibilityWalFlags.init(null);