diff options
| author | Svetoslav <svetoslavganov@google.com> | 2014-08-06 22:05:48 -0700 |
|---|---|---|
| committer | Svetoslav Ganov <svetoslavganov@google.com> | 2014-08-07 05:14:36 +0000 |
| commit | 985e566ceca9c11d2f740499053f37dfaeb9033d (patch) | |
| tree | b6dc8b3ba3543e9c3df516bfe5b07bb08313e368 /services/appwidget | |
| parent | 14b7c54eeae4285f3c5084787c0607dd3103f20c (diff) | |
| download | frameworks_base-985e566ceca9c11d2f740499053f37dfaeb9033d.zip frameworks_base-985e566ceca9c11d2f740499053f37dfaeb9033d.tar.gz frameworks_base-985e566ceca9c11d2f740499053f37dfaeb9033d.tar.bz2 | |
Fix cross-user talk.
An app can access widgets hosted or provided by its uid and package.
Access is also allowed if the caller has the bind app widgets permission
but this caller can be in the wrong user. Now the caller should not
only have the bind app widget permission but also be in the same user
as the host or the provider of the widget.
bug:16834230
Change-Id: I5ddb6309f63f2b4ba95360446c2b9584350fb66f
Diffstat (limited to 'services/appwidget')
| -rw-r--r-- | services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java index e9d0c46..4315e0d 100644 --- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java +++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java @@ -3125,9 +3125,13 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku // Apps hosting the AppWidget get to bind to a remote view service in the provider. return true; } - if (mContext.checkCallingPermission(android.Manifest.permission.BIND_APPWIDGET) + final int userId = UserHandle.getUserId(uid); + if ((widget.host.getUserId() == userId || (widget.provider != null + && widget.provider.getUserId() == userId)) + && mContext.checkCallingPermission(android.Manifest.permission.BIND_APPWIDGET) == PackageManager.PERMISSION_GRANTED) { - // Apps that can bind have access to all appWidgetIds. + // Apps that run in the same user as either the host or the provider and + // have the bind widget permission have access to the widget. return true; } return false; @@ -3187,14 +3191,7 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku } public boolean isHostInPackageForUid(Host host, int uid, String packageName) { - if (UserHandle.getAppId(uid) == Process.myUid()) { - // For a host that's in the system process, ignore the user id. - return UserHandle.isSameApp(host.id.uid, uid) - && host.id.packageName.equals(packageName); - } else { - return host.id.uid == uid - && host.id.packageName.equals(packageName); - } + return host.id.uid == uid && host.id.packageName.equals(packageName); } public boolean isProviderInPackageForUid(Provider provider, int uid, |