DO NOT MERGE Check caller for sending media key to telephony service

Prevent sending media key events from the non-system app to the telephony service through the AudioManager.dispatchMediaKeyEvent() or sending media key broadcast directly. Bug: 29833954 Tested: Installed malicious apps and confirmed that they don't work. Tested: Run CtsTelecomTestCases and CtsMediaTestCases Change-Id: I2a9e78196ba7455324e485f098f095d03b47ee15
2016-09-21 11:20:54 +09:00
parent 204da8aa9e
commit d1641e8c27
2 changed files with 20 additions and 1 deletions
--- a/media/java/android/media/MediaFocusControl.java
+++ b/media/java/android/media/MediaFocusControl.java
@@ -40,6 +40,7 @@ import android.os.IBinder;
 import android.os.Looper;
 import android.os.Message;
 import android.os.PowerManager;
+import android.os.Process;
 import android.os.RemoteException;
 import android.os.UserHandle;
 import android.os.IBinder.DeathRecipient;
@@ -750,7 +751,13 @@ public class MediaFocusControl implements OnFinished {
            synchronized(mRCStack) {
                if ((mMediaReceiverForCalls != null) &&
                        (mIsRinging || (mAudioService.getMode() == AudioSystem.MODE_IN_CALL))) {
-                    dispatchMediaKeyEventForCalls(keyEvent, needWakeLock);
+                    if (Binder.getCallingUid() != Process.SYSTEM_UID) {
+                        // Prevent dispatching key event to the global priority session.
+                        Slog.i(TAG, "Only the system can dispatch media key event "
+                                + "to the global priority session.");
+                    } else {
+                        dispatchMediaKeyEventForCalls(keyEvent, needWakeLock);
+                    }
                    return;
                }
            }
--- a/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java
+++ b/policy/src/com/android/internal/policy/impl/PhoneWindowManager.java
@@ -4044,6 +4044,18 @@ public class PhoneWindowManager implements WindowManagerPolicy {
            case KeyEvent.KEYCODE_MEDIA_RECORD:
            case KeyEvent.KEYCODE_MEDIA_FAST_FORWARD:
            case KeyEvent.KEYCODE_MEDIA_AUDIO_TRACK: {
+                ITelephony telephonyService = getTelephonyService();
+                if (telephonyService != null) {
+                    try {
+                        if (!telephonyService.isIdle()) {
+                            // When phone is ringing or in-call, pass all media keys to it.
+                            result &= ~ACTION_PASS_TO_USER;
+                        }
+                    } catch (RemoteException ex) {
+                        Log.w(TAG, "ITelephony threw RemoteException", ex);
+                    }
+                }
+
                if ((result & ACTION_PASS_TO_USER) == 0) {
                    // Only do this if we would otherwise not pass it to the user. In that
                    // case, the PhoneWindow class will do the same thing, except it will