Enforce permissions check in getLastTimeAnyComponentUsed

Enforce the permission check for both INTERACT_ACROSS_USERS and PACKAGE_USAGE_STATS permissions. Bug: 191382775 Test: atest CtsUsageStatsTestCases:UsageStatsTest Change-Id: I1371070478306005b2b4a59a1bc794bc368ae0c4
2021-06-23 15:50:10 -07:00
parent a6689c521a
commit bdac90593f
3 changed files with 10 additions and 3 deletions
--- a/core/java/android/app/usage/IUsageStatsManager.aidl
+++ b/core/java/android/app/usage/IUsageStatsManager.aidl
@@ -68,5 +68,5 @@ interface IUsageStatsManager {
    void reportUserInteraction(String packageName, int userId);
    int getUsageSource();
    void forceUsageSourceSettingRead();
-    long getLastTimeAnyComponentUsed(String packageName);
+    long getLastTimeAnyComponentUsed(String packageName, String callingPackage);
 }
--- a/core/java/android/app/usage/UsageStatsManager.java
+++ b/core/java/android/app/usage/UsageStatsManager.java
@@ -1287,7 +1287,7 @@ public final class UsageStatsManager {
            android.Manifest.permission.PACKAGE_USAGE_STATS})
    public long getLastTimeAnyComponentUsed(@NonNull String packageName) {
        try {
-            return mService.getLastTimeAnyComponentUsed(packageName);
+            return mService.getLastTimeAnyComponentUsed(packageName, mContext.getOpPackageName());
        } catch (RemoteException re) {
            throw re.rethrowFromSystemServer();
        }
--- a/services/usage/java/com/android/server/usage/UsageStatsService.java
+++ b/services/usage/java/com/android/server/usage/UsageStatsService.java
@@ -2226,7 +2226,14 @@ public class UsageStatsService extends SystemService implements
        }

        @Override
-        public long getLastTimeAnyComponentUsed(String packageName) {
+        public long getLastTimeAnyComponentUsed(String packageName, String callingPackage) {
+            if (!hasPermissions(
+                    callingPackage, android.Manifest.permission.INTERACT_ACROSS_USERS)) {
+                throw new SecurityException("Caller doesn't have INTERACT_ACROSS_USERS permission");
+            }
+            if (!hasPermission(callingPackage)) {
+                throw new SecurityException("Don't have permission to query usage stats");
+            }
            synchronized (mLock) {
                // Truncate the returned milliseconds to the boundary of the last day before exact
                // time for privacy reasons.