From: Tony Mak Date: Fri, 12 May 2017 15:11:43 +0000 (+0100) Subject: Clear calling identity before binding instant app resolver X-Git-Tag: android-x86-9.0-r1~1044^2~726^2 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=f2645400c255aae29a217c5003fa661a0b4da6f1;p=android-x86%2Fframeworks-base.git Clear calling identity before binding instant app resolver EphemeralResolverConnection always bind the instant app resolver installed in user 0. It can be a problem if PMS is calling EphemeralResolverConnection in a binder call from other users. In which case, we are binding service in user 0 from other users and security exception is thrown. This fix assume it is WAI we always bind instant app resolver in user 0. Fix: 38257043 Test: reboot, launch a work profile app that start an ACTION_VIEW intent with http link. No crash observed. Change-Id: Ic4e451b67ef127f05c3e594254b310da690a2324 --- diff --git a/services/core/java/com/android/server/pm/EphemeralResolverConnection.java b/services/core/java/com/android/server/pm/EphemeralResolverConnection.java index aa780cc36523..1de3936dce5d 100644 --- a/services/core/java/com/android/server/pm/EphemeralResolverConnection.java +++ b/services/core/java/com/android/server/pm/EphemeralResolverConnection.java @@ -23,6 +23,7 @@ import android.content.Context; import android.content.Intent; import android.content.ServiceConnection; import android.content.pm.InstantAppResolveInfo; +import android.os.Binder; import android.os.Build; import android.os.Bundle; import android.os.Handler; @@ -140,7 +141,12 @@ final class EphemeralResolverConnection implements DeathRecipient { if (mRemoteInstance != null) { return mRemoteInstance; } - bindLocked(token); + long binderToken = Binder.clearCallingIdentity(); + try { + bindLocked(token); + } finally { + Binder.restoreCallingIdentity(binderToken); + } return mRemoteInstance; } }