From 0f7f913281fff39d533b4ae325ba2fd11f0ae204 Mon Sep 17 00:00:00 2001
From: Arc Wang <arcwang@google.com>
Date: Wed, 14 Dec 2022 11:08:53 +0800
Subject: [PATCH] Check Uri permission for FLAG_GRANT_READ/WRITE_URI_PERMISSION

To improve security, calling app must be granted Uri permission
if it sets FLAG_GRANT_READ/WRITE_URI_PERMISSION in the Intent of
ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY.

Bug: 250589026
Test: manual
Change-Id: I48f88c662b843212b1066369badff84cf98935a8
Merged-In: I48f88c662b843212b1066369badff84cf98935a8
---
 .../homepage/SettingsHomepageActivity.java    | 34 +++++++++++++------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/src/com/android/settings/homepage/SettingsHomepageActivity.java b/src/com/android/settings/homepage/SettingsHomepageActivity.java
index ddc1d775d7c..a23b743aade 100644
--- a/src/com/android/settings/homepage/SettingsHomepageActivity.java
+++ b/src/com/android/settings/homepage/SettingsHomepageActivity.java
@@ -448,7 +448,16 @@ public class SettingsHomepageActivity extends FragmentActivity implements
             return;
         }
 
-        if (!hasPrivilegedAccess(targetActivityInfo)) {
+        int callingUid = -1;
+        try {
+            callingUid = ActivityManager.getService().getLaunchedFromUid(getActivityToken());
+        } catch (RemoteException re) {
+            Log.e(TAG, "Not able to get callingUid: " + re);
+            finish();
+            return;
+        }
+
+        if (!hasPrivilegedAccess(callingUid, targetActivityInfo)) {
             if (!targetActivityInfo.exported) {
                 Log.e(TAG, "Target Activity is not exported");
                 finish();
@@ -479,6 +488,19 @@ public class SettingsHomepageActivity extends FragmentActivity implements
         targetIntent.setData(intent.getParcelableExtra(
                 SettingsHomepageActivity.EXTRA_SETTINGS_LARGE_SCREEN_DEEP_LINK_INTENT_DATA));
 
+        // Only allow FLAG_GRANT_READ/WRITE_URI_PERMISSION if calling app has the permission to
+        // access specified Uri.
+        int uriPermissionFlags = targetIntent.getFlags()
+                & (Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
+        if (targetIntent.getData() != null
+                && uriPermissionFlags != 0
+                && checkUriPermission(targetIntent.getData(), /* pid= */ -1, callingUid,
+                        uriPermissionFlags) == PackageManager.PERMISSION_DENIED) {
+            Log.e(TAG, "Calling app must have the permission to access Uri and grant permission");
+            finish();
+            return;
+        }
+
         // Set 2-pane pair rule for the deep link page.
         ActivityEmbeddingRulesController.registerTwoPanePairRule(this,
                 new ComponentName(getApplicationContext(), getClass()),
@@ -504,20 +526,12 @@ public class SettingsHomepageActivity extends FragmentActivity implements
     }
 
     // Check if calling app has privileged access to launch Activity of activityInfo.
-    private boolean hasPrivilegedAccess(ActivityInfo activityInfo) {
+    private boolean hasPrivilegedAccess(int callingUid, ActivityInfo activityInfo) {
         if (TextUtils.equals(PasswordUtils.getCallingAppPackageName(getActivityToken()),
                     getPackageName())) {
             return true;
         }
 
-        int callingUid = -1;
-        try {
-            callingUid = ActivityManager.getService().getLaunchedFromUid(getActivityToken());
-        } catch (RemoteException re) {
-            Log.e(TAG, "Not able to get callingUid: " + re);
-            return false;
-        }
-
         int targetUid = -1;
         try {
             targetUid = getPackageManager().getApplicationInfo(activityInfo.packageName,