From f2645400c255aae29a217c5003fa661a0b4da6f1 Mon Sep 17 00:00:00 2001 From: Tony Mak Date: Fri, 12 May 2017 16:11:43 +0100 Subject: [PATCH] Clear calling identity before binding instant app resolver EphemeralResolverConnection always bind the instant app resolver installed in user 0. It can be a problem if PMS is calling EphemeralResolverConnection in a binder call from other users. In which case, we are binding service in user 0 from other users and security exception is thrown. This fix assume it is WAI we always bind instant app resolver in user 0. Fix: 38257043 Test: reboot, launch a work profile app that start an ACTION_VIEW intent with http link. No crash observed. Change-Id: Ic4e451b67ef127f05c3e594254b310da690a2324 --- .../java/com/android/server/pm/EphemeralResolverConnection.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/services/core/java/com/android/server/pm/EphemeralResolverConnection.java b/services/core/java/com/android/server/pm/EphemeralResolverConnection.java index aa780cc36523..1de3936dce5d 100644 --- a/services/core/java/com/android/server/pm/EphemeralResolverConnection.java +++ b/services/core/java/com/android/server/pm/EphemeralResolverConnection.java @@ -23,6 +23,7 @@ import android.content.Context; import android.content.Intent; import android.content.ServiceConnection; import android.content.pm.InstantAppResolveInfo; +import android.os.Binder; import android.os.Build; import android.os.Bundle; import android.os.Handler; @@ -140,7 +141,12 @@ final class EphemeralResolverConnection implements DeathRecipient { if (mRemoteInstance != null) { return mRemoteInstance; } - bindLocked(token); + long binderToken = Binder.clearCallingIdentity(); + try { + bindLocked(token); + } finally { + Binder.restoreCallingIdentity(binderToken); + } return mRemoteInstance; } } -- 2.11.0