Fix cross-user talk.

An app can access widgets hosted or provided by its uid and package.
Access is also allowed if the caller has the bind app widgets permission
but this caller can be in the wrong user. Now the caller should not
only have the bind app widget permission but also be in the same user
as the host or the provider of the widget.

bug:16834230

Change-Id: I5ddb6309f63f2b4ba95360446c2b9584350fb66f

2 files changed, 18 insertions, 11 deletions

diff --git a/core/java/android/widget/AdapterViewFlipper.java b/core/java/android/widget/AdapterViewFlipper.java
index 3b026bd..285dee8 100644
--- a/core/java/android/widget/AdapterViewFlipper.java
+++ b/core/java/android/widget/AdapterViewFlipper.java
@@ -105,7 +105,17 @@ public class AdapterViewFlipper extends AdapterViewAnimator {
         final IntentFilter filter = new IntentFilter();
         filter.addAction(Intent.ACTION_SCREEN_OFF);
         filter.addAction(Intent.ACTION_USER_PRESENT);
-        getContext().registerReceiver(mReceiver, filter);
+
+        // OK, this is gross but needed. This class is supported by the
+        // remote views machanism and as a part of that the remote views
+        // can be inflated by a context for another user without the app
+        // having interact users permission - just for loading resources.
+        // For exmaple, when adding widgets from a user profile to the
+        // home screen. Therefore, we register the receiver as the current
+        // user not the one the context is for.
+        getContext().registerReceiverAsUser(mReceiver, android.os.Process.myUserHandle(),
+                filter, null, mHandler);
+
 
         if (mAutoStart) {
             // Automatically start when requested
diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
index e9d0c46..4315e0d 100644
--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
@@ -3125,9 +3125,13 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
                 // Apps hosting the AppWidget get to bind to a remote view service in the provider.
                 return true;
             }
-            if (mContext.checkCallingPermission(android.Manifest.permission.BIND_APPWIDGET)
+            final int userId = UserHandle.getUserId(uid);
+            if ((widget.host.getUserId() == userId || (widget.provider != null
+                    && widget.provider.getUserId() == userId))
+                && mContext.checkCallingPermission(android.Manifest.permission.BIND_APPWIDGET)
                     == PackageManager.PERMISSION_GRANTED) {
-                // Apps that can bind have access to all appWidgetIds.
+                // Apps that run in the same user as either the host or the provider and
+                // have the bind widget permission have access to the widget.
                 return true;
             }
             return false;
@@ -3187,14 +3191,7 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
         }
 
         public boolean isHostInPackageForUid(Host host, int uid, String packageName) {
-            if (UserHandle.getAppId(uid) == Process.myUid()) {
-                // For a host that's in the system process, ignore the user id.
-                return UserHandle.isSameApp(host.id.uid, uid)
-                        && host.id.packageName.equals(packageName);
-            } else {
-                return host.id.uid == uid
-                        && host.id.packageName.equals(packageName);
-            }
+            return host.id.uid == uid && host.id.packageName.equals(packageName);
         }
 
         public boolean isProviderInPackageForUid(Provider provider, int uid,