From b2129eb6b112da17cae9df2f01fdcc4f1ccd5b7b Mon Sep 17 00:00:00 2001 From: Malcolm Chen Date: Tue, 16 Oct 2018 18:18:51 -0700 Subject: [PATCH] Clear calling identity in callback. In SubscriptionManager, when onSubscriptionsChanged is called when opportunistic subscriptions change, clear calling identity. Otherwise mExecutor is executed with phone process identity which can be a security issue. Test: build Bug: 117794788 Change-Id: I766cdc89f0421265cab00dc40d53f355deb7b92b Merged-In: I766cdc89f0421265cab00dc40d53f355deb7b92b --- .../java/android/telephony/SubscriptionManager.java | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/telephony/java/android/telephony/SubscriptionManager.java b/telephony/java/android/telephony/SubscriptionManager.java index 93a062299be18..db4b57febf651 100644 --- a/telephony/java/android/telephony/SubscriptionManager.java +++ b/telephony/java/android/telephony/SubscriptionManager.java @@ -43,6 +43,7 @@ import android.database.ContentObserver; import android.net.INetworkPolicyManager; import android.net.NetworkCapabilities; import android.net.Uri; +import android.os.Binder; import android.os.Build; import android.os.Handler; import android.os.Looper; @@ -850,8 +851,13 @@ public class SubscriptionManager { IOnSubscriptionsChangedListener callback = new IOnSubscriptionsChangedListener.Stub() { @Override public void onSubscriptionsChanged() { - if (DBG) log("onOpportunisticSubscriptionsChanged callback received."); - mExecutor.execute(() -> onOpportunisticSubscriptionsChanged()); + final long identity = Binder.clearCallingIdentity(); + try { + if (DBG) log("onOpportunisticSubscriptionsChanged callback received."); + mExecutor.execute(() -> onOpportunisticSubscriptionsChanged()); + } finally { + Binder.restoreCallingIdentity(identity); + } } };