Allow Root to call shell command

Repro step: * switch to second user (guest) * enable adb as root * `adb shell cmd bluetooth_manager enable` -> fail Bug: 263554371 Test: Manual Change-Id: I3a479fbd3e2fe21b1a1b872a15aa6df4ad286356 (cherry picked from commit 145626e4098e3beb201ea4b9a6ddbfa086656532) Merged-In: I3a479fbd3e2fe21b1a1b872a15aa6df4ad286356
author: William Escande <wescande@google.com> 2023-01-09 12:44:53 -0800
committer: Cherrypicker Worker <android-build-cherrypicker-worker@google.com> 2023-01-17 03:14:31 +0000
commit: 268bea52902b62d2b2e4f98b82a15f47b233bcec (patch)
tree: b687f1f35e3b5e2f6750fdfa70998b04fb880888 /service/java/com/android/server/bluetooth/BluetoothManagerService.java
parent: f66923d967790f7dced83ee2f3855de8acec459b (diff)
1 files changed, 30 insertions, 14 deletions
diff --git a/service/java/com/android/server/bluetooth/BluetoothManagerService.java b/service/java/com/android/server/bluetooth/BluetoothManagerService.java
index da4b71ed55..78452d7756 100644
--- a/service/java/com/android/server/bluetooth/BluetoothManagerService.java
+++ b/service/java/com/android/server/bluetooth/BluetoothManagerService.java
@@ -969,7 +969,7 @@ public class BluetoothManagerService extends IBluetoothManager.Stub {
     }
 
     public int getState() {
-        if ((Binder.getCallingUid() != Process.SYSTEM_UID) && (!checkIfCallerIsForegroundUser())) {
+        if (!isCallerSystem(getCallingAppId()) && !checkIfCallerIsForegroundUser()) {
             Log.w(TAG, "getState(): report OFF for non-active and non system user");
             return BluetoothAdapter.STATE_OFF;
         }
@@ -1146,11 +1146,11 @@ public class BluetoothManagerService extends IBluetoothManager.Stub {
             }
             return false;
         }
-        // Check if packageName belongs to callingUid
-        final int callingUid = Binder.getCallingUid();
-        final boolean isCallerSystem = UserHandle.getAppId(callingUid) == Process.SYSTEM_UID;
-        if (!isCallerSystem && callingUid != Process.SHELL_UID) {
-            checkPackage(callingUid, attributionSource.getPackageName());
+        int callingAppId = getCallingAppId();
+        if (!isCallerSystem(callingAppId)
+                && !isCallerShell(callingAppId)
+                && !isCallerRoot(callingAppId)) {
+            checkPackage(attributionSource.getPackageName());
 
             if (requireForeground && !checkIfCallerIsForegroundUser()) {
                 Log.w(TAG, "Not allowed for non-active and non system user");
@@ -1456,24 +1456,27 @@ public class BluetoothManagerService extends IBluetoothManager.Stub {
     }
 
     /**
-     * Check if AppOpsManager is available and the packageName belongs to uid
+     * Check if AppOpsManager is available and the packageName belongs to calling uid
      *
      * A null package belongs to any uid
      */
-    private void checkPackage(int uid, String packageName) {
+    private void checkPackage(String packageName) {
+        int callingUid = Binder.getCallingUid();
+
         if (mAppOps == null) {
             Log.w(TAG, "checkPackage(): called before system boot up, uid "
-                    + uid + ", packageName " + packageName);
+                    + callingUid + ", packageName " + packageName);
             throw new IllegalStateException("System has not boot yet");
         }
         if (packageName == null) {
-            Log.w(TAG, "checkPackage(): called with null packageName from " + uid);
+            Log.w(TAG, "checkPackage(): called with null packageName from " + callingUid);
             return;
         }
+
         try {
-            mAppOps.checkPackage(uid, packageName);
+            mAppOps.checkPackage(callingUid, packageName);
         } catch (SecurityException e) {
-            Log.w(TAG, "checkPackage(): " + packageName + " does not belong to uid " + uid);
+            Log.w(TAG, "checkPackage(): " + packageName + " does not belong to uid " + callingUid);
             throw new SecurityException(e.getMessage());
         }
     }
@@ -1909,7 +1912,7 @@ public class BluetoothManagerService extends IBluetoothManager.Stub {
             return null;
         }
 
-        if ((Binder.getCallingUid() != Process.SYSTEM_UID) && (!checkIfCallerIsForegroundUser())) {
+        if (!isCallerSystem(getCallingAppId()) && !checkIfCallerIsForegroundUser()) {
             Log.w(TAG, "getAddress(): not allowed for non-active and non system user");
             return null;
         }
@@ -1943,7 +1946,7 @@ public class BluetoothManagerService extends IBluetoothManager.Stub {
             return null;
         }
 
-        if ((Binder.getCallingUid() != Process.SYSTEM_UID) && (!checkIfCallerIsForegroundUser())) {
+        if (!isCallerSystem(getCallingAppId()) && !checkIfCallerIsForegroundUser()) {
             Log.w(TAG, "getName(): not allowed for non-active and non system user");
             return null;
         }
@@ -2715,6 +2718,19 @@ public class BluetoothManagerService extends IBluetoothManager.Stub {
         }
     }
 
+    private static int getCallingAppId() {
+        return UserHandle.getAppId(Binder.getCallingUid());
+    }
+    private static boolean isCallerSystem(int callingAppId) {
+        return callingAppId == Process.SYSTEM_UID;
+    }
+    private static boolean isCallerShell(int callingAppId) {
+        return callingAppId == Process.SHELL_UID;
+    }
+    private static boolean isCallerRoot(int callingAppId) {
+        return callingAppId == Process.ROOT_UID;
+    }
+
     private boolean checkIfCallerIsForegroundUser() {
         int callingUid = Binder.getCallingUid();
         UserHandle callingUser = UserHandle.getUserHandleForUid(callingUid);
author	William Escande <wescande@google.com>	2023-01-09 12:44:53 -0800
committer	Cherrypicker Worker <android-build-cherrypicker-worker@google.com>	2023-01-17 03:14:31 +0000
commit	268bea52902b62d2b2e4f98b82a15f47b233bcec (patch)
tree	b687f1f35e3b5e2f6750fdfa70998b04fb880888 /service/java/com/android/server/bluetooth/BluetoothManagerService.java
parent	f66923d967790f7dced83ee2f3855de8acec459b (diff)