Fix bluetooth settings will broadcast to anywhere when some cases

BluetoothPermissionActivity and DevicePickerFragment will send broadcast to return the result to calling apps. As this broadcast intent is from Settings with uid 1000, it will be sent to any protected BroadcastReceivers in the device. It can make an attacker send broadcast to protected BroadcastReceivers like factory reset intent (android/com.android.server.MasterClearReceiver) via BluetoothPermissionActivity or DevicePickerFragment. This CL will compare to calling package name with launch package name. If they are not equal, the broadcast will not send to launch package name. Bug: 179386960 Bug: 179386068 Test: make -j42 RunSettingsRoboTests and use test apk to manually test to verify factory reset not started and no system UI notification. Change-Id: Ib8a5acde663e875912d300dd4912c4e9416f02f1
2021-03-12 10:40:20 +08:00
parent 6d513a2c67
commit 9d00364da4
5 changed files with 268 additions and 115 deletions
--- a/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
+++ b/src/com/android/settings/bluetooth/BluetoothPermissionRequest.java
@@ -29,9 +29,6 @@ import android.os.UserManager;
 import android.util.Log;

 import com.android.settings.R;
-import com.android.settingslib.bluetooth.CachedBluetoothDevice;
-import com.android.settingslib.bluetooth.CachedBluetoothDeviceManager;
-import com.android.settingslib.bluetooth.LocalBluetoothManager;

 /**
 * BluetoothPermissionRequest is a receiver to receive Bluetooth connection
@@ -83,21 +80,6 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
            if (DEBUG) Log.d(TAG, "onReceive request type: " + mRequestType + " return "
                    + mReturnPackage + "," + mReturnClass);

-            // Even if the user has already made the choice, Bluetooth still may not know that if
-            // the user preference data have not been migrated from Settings app's shared
-            // preferences to Bluetooth app's. In that case, Bluetooth app broadcasts an
-            // ACTION_CONNECTION_ACCESS_REQUEST intent to ask to Settings app.
-            //
-            // If that happens, 'checkUserChoice()' here will do migration because it finds or
-            // creates a 'CachedBluetoothDevice' object for the device.
-            //
-            // After migration is done, 'checkUserChoice()' replies to the request by sending an
-            // ACTION_CONNECTION_ACCESS_REPLY intent. And we don't need to start permission activity
-            // dialog or notification.
-            if (checkUserChoice()) {
-                return;
-            }
-
            Intent connectionAccessIntent = new Intent(action);
            connectionAccessIntent.setClass(context, BluetoothPermissionActivity.class);
            // We use the FLAG_ACTIVITY_MULTIPLE_TASK since we can have multiple concurrent access
@@ -212,92 +194,4 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver {
        }
        return null;
    }
-
-    /**
-     * @return true user had made a choice, this method replies to the request according
-     *              to user's previous decision
-     *         false user hadnot made any choice on this device
-     */
-    private boolean checkUserChoice() {
-        boolean processed = false;
-
-        // ignore if it is something else than phonebook/message settings it wants us to remember
-        if (mRequestType != BluetoothDevice.REQUEST_TYPE_PHONEBOOK_ACCESS
-                && mRequestType != BluetoothDevice.REQUEST_TYPE_MESSAGE_ACCESS
-                && mRequestType != BluetoothDevice.REQUEST_TYPE_SIM_ACCESS) {
-            if (DEBUG) Log.d(TAG, "checkUserChoice(): Unknown RequestType " + mRequestType);
-            return processed;
-        }
-
-        LocalBluetoothManager bluetoothManager = Utils.getLocalBtManager(mContext);
-        CachedBluetoothDeviceManager cachedDeviceManager =
-            bluetoothManager.getCachedDeviceManager();
-        CachedBluetoothDevice cachedDevice = cachedDeviceManager.findDevice(mDevice);
-        if (cachedDevice == null) {
-            cachedDevice = cachedDeviceManager.addDevice(mDevice);
-        }
-
-        String intentName = BluetoothDevice.ACTION_CONNECTION_ACCESS_REPLY;
-
-        if (mRequestType == BluetoothDevice.REQUEST_TYPE_PHONEBOOK_ACCESS) {
-            int phonebookPermission = mDevice.getPhonebookAccessPermission();
-
-            if (phonebookPermission == BluetoothDevice.ACCESS_UNKNOWN) {
-                // Leave 'processed' as false.
-            } else if (phonebookPermission == BluetoothDevice.ACCESS_ALLOWED) {
-                sendReplyIntentToReceiver(true);
-                processed = true;
-            } else if (phonebookPermission == BluetoothDevice.ACCESS_REJECTED) {
-                sendReplyIntentToReceiver(false);
-                processed = true;
-            } else {
-                Log.e(TAG, "Bad phonebookPermission: " + phonebookPermission);
-            }
-        } else if (mRequestType == BluetoothDevice.REQUEST_TYPE_MESSAGE_ACCESS) {
-            int messagePermission = mDevice.getMessageAccessPermission();
-
-            if (messagePermission == BluetoothDevice.ACCESS_UNKNOWN) {
-                // Leave 'processed' as false.
-            } else if (messagePermission == BluetoothDevice.ACCESS_ALLOWED) {
-                sendReplyIntentToReceiver(true);
-                processed = true;
-            } else if (messagePermission == BluetoothDevice.ACCESS_REJECTED) {
-                sendReplyIntentToReceiver(false);
-                processed = true;
-            } else {
-                Log.e(TAG, "Bad messagePermission: " + messagePermission);
-            }
-        } else if(mRequestType == BluetoothDevice.REQUEST_TYPE_SIM_ACCESS) {
-            int simPermission = mDevice.getSimAccessPermission();
-
-            if (simPermission == BluetoothDevice.ACCESS_UNKNOWN) {
-                // Leave 'processed' as false.
-            } else if (simPermission == BluetoothDevice.ACCESS_ALLOWED) {
-                sendReplyIntentToReceiver(true);
-                processed = true;
-            } else if (simPermission == BluetoothDevice.ACCESS_REJECTED) {
-                sendReplyIntentToReceiver(false);
-                processed = true;
-            } else {
-                Log.e(TAG, "Bad simPermission: " + simPermission);
-            }
-        }
-        if (DEBUG) Log.d(TAG,"checkUserChoice(): returning " + processed);
-        return processed;
-    }
-
-    private void sendReplyIntentToReceiver(final boolean allowed) {
-        Intent intent = new Intent(BluetoothDevice.ACTION_CONNECTION_ACCESS_REPLY);
-
-        if (mReturnPackage != null && mReturnClass != null) {
-            intent.setClassName(mReturnPackage, mReturnClass);
-        }
-
-        intent.putExtra(BluetoothDevice.EXTRA_CONNECTION_ACCESS_RESULT,
-                        allowed ? BluetoothDevice.CONNECTION_ACCESS_YES
-                                : BluetoothDevice.CONNECTION_ACCESS_NO);
-        intent.putExtra(BluetoothDevice.EXTRA_DEVICE, mDevice);
-        intent.putExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE, mRequestType);
-        mContext.sendBroadcast(intent, android.Manifest.permission.BLUETOOTH_ADMIN);
-    }
 }