packages/apps/Settings
| Revisión | f8c5c95ccf88b6179c898e11e3b39b09c7ff6711 (tree) |
|---|---|
| Tiempo | 2021-07-01 20:01:24 |
| Autor | Hugh Chen <hughchen@goog...> |
| Commiter | Android Build Coastguard Worker |
RESTRICT AUTOMERGE Fix bluetooth settings will broadcast to anywhere when some cases
BluetoothPermissionActivity and DevicePickerFragment will send
broadcast to return the result to calling apps. As this broadcast
intent is from Settings with uid 1000, it will be sent to any
protected BroadcastReceivers in the device. It can make an attacker
send broadcast to protected BroadcastReceivers like factory reset intent
(android/com.android.server.MasterClearReceiver) via
BluetoothPermissionActivity or DevicePickerFragment.
This CL will not allow to set package name and class name to avoid
the attacker.
Bug: 179386960
Bug: 179386068
Test: make -j42 RunSettingsRoboTests and use test apk to manually test
to verify factory reset not started and no system UI notification.
Change-Id: Id27a78091ab578077853b8fbb97a4422cff0a158
(cherry picked from commit 8adedc62496cf8cf6ecfc6ccf23b0b248081d7d4)
(cherry picked from commit e21d06f6eeb20cdd0c6e2a995f27e942225fb807)
src/com/android/settings/bluetooth/BluetoothPermissionActivity.java (diff) src/com/android/settings/bluetooth/BluetoothPermissionRequest.java (diff) src/com/android/settings/bluetooth/DevicePickerFragment.java (diff) tests/robotests/src/com/android/settings/bluetooth/BluetoothPermissionActivityTest.java (diff) tests/robotests/src/com/android/settings/bluetooth/DevicePickerFragmentTest.java (diff)| @@ -16,6 +16,8 @@ | ||
| 16 | 16 | |
| 17 | 17 | package com.android.settings.bluetooth; |
| 18 | 18 | |
| 19 | +import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS; | |
| 20 | + | |
| 19 | 21 | import android.bluetooth.BluetoothDevice; |
| 20 | 22 | import android.content.BroadcastReceiver; |
| 21 | 23 | import android.content.Context; |
| @@ -30,12 +32,11 @@ import android.widget.TextView; | ||
| 30 | 32 | |
| 31 | 33 | import androidx.preference.Preference; |
| 32 | 34 | |
| 35 | +import com.android.internal.annotations.VisibleForTesting; | |
| 33 | 36 | import com.android.internal.app.AlertActivity; |
| 34 | 37 | import com.android.internal.app.AlertController; |
| 35 | 38 | import com.android.settings.R; |
| 36 | 39 | |
| 37 | -import static android.view.WindowManager.LayoutParams.SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS; | |
| 38 | - | |
| 39 | 40 | /** |
| 40 | 41 | * BluetoothPermissionActivity shows a dialog for accepting incoming |
| 41 | 42 | * profile connection request from untrusted devices. |
| @@ -51,8 +52,6 @@ public class BluetoothPermissionActivity extends AlertActivity implements | ||
| 51 | 52 | private TextView messageView; |
| 52 | 53 | private Button mOkButton; |
| 53 | 54 | private BluetoothDevice mDevice; |
| 54 | - private String mReturnPackage = null; | |
| 55 | - private String mReturnClass = null; | |
| 56 | 55 | |
| 57 | 56 | private int mRequestType = 0; |
| 58 | 57 | private BroadcastReceiver mReceiver = new BroadcastReceiver() { |
| @@ -89,8 +88,6 @@ public class BluetoothPermissionActivity extends AlertActivity implements | ||
| 89 | 88 | } |
| 90 | 89 | |
| 91 | 90 | mDevice = i.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE); |
| 92 | - mReturnPackage = i.getStringExtra(BluetoothDevice.EXTRA_PACKAGE_NAME); | |
| 93 | - mReturnClass = i.getStringExtra(BluetoothDevice.EXTRA_CLASS_NAME); | |
| 94 | 91 | mRequestType = i.getIntExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE, |
| 95 | 92 | BluetoothDevice.REQUEST_TYPE_PHONEBOOK_ACCESS); |
| 96 | 93 |
| @@ -202,14 +199,14 @@ public class BluetoothPermissionActivity extends AlertActivity implements | ||
| 202 | 199 | sendReplyIntentToReceiver(false, true); |
| 203 | 200 | } |
| 204 | 201 | |
| 205 | - private void sendReplyIntentToReceiver(final boolean allowed, final boolean always) { | |
| 202 | + @VisibleForTesting | |
| 203 | + void sendReplyIntentToReceiver(final boolean allowed, final boolean always) { | |
| 206 | 204 | Intent intent = new Intent(BluetoothDevice.ACTION_CONNECTION_ACCESS_REPLY); |
| 207 | 205 | |
| 208 | - if (mReturnPackage != null && mReturnClass != null) { | |
| 209 | - intent.setClassName(mReturnPackage, mReturnClass); | |
| 206 | + if (DEBUG) { | |
| 207 | + Log.i(TAG, "sendReplyIntentToReceiver() Request type: " + mRequestType | |
| 208 | + + " mReturnPackage"); | |
| 210 | 209 | } |
| 211 | - if (DEBUG) Log.i(TAG, "sendReplyIntentToReceiver() Request type: " + mRequestType + | |
| 212 | - " mReturnPackage" + mReturnPackage + " mReturnClass" + mReturnClass); | |
| 213 | 210 | |
| 214 | 211 | intent.putExtra(BluetoothDevice.EXTRA_CONNECTION_ACCESS_RESULT, |
| 215 | 212 | allowed ? BluetoothDevice.CONNECTION_ACCESS_YES |
| @@ -56,8 +56,6 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver { | ||
| 56 | 56 | Context mContext; |
| 57 | 57 | int mRequestType; |
| 58 | 58 | BluetoothDevice mDevice; |
| 59 | - String mReturnPackage = null; | |
| 60 | - String mReturnClass = null; | |
| 61 | 59 | |
| 62 | 60 | @Override |
| 63 | 61 | public void onReceive(Context context, Intent intent) { |
| @@ -77,11 +75,10 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver { | ||
| 77 | 75 | mDevice = intent.getParcelableExtra(BluetoothDevice.EXTRA_DEVICE); |
| 78 | 76 | mRequestType = intent.getIntExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE, |
| 79 | 77 | BluetoothDevice.REQUEST_TYPE_PROFILE_CONNECTION); |
| 80 | - mReturnPackage = intent.getStringExtra(BluetoothDevice.EXTRA_PACKAGE_NAME); | |
| 81 | - mReturnClass = intent.getStringExtra(BluetoothDevice.EXTRA_CLASS_NAME); | |
| 82 | 78 | |
| 83 | - if (DEBUG) Log.d(TAG, "onReceive request type: " + mRequestType + " return " | |
| 84 | - + mReturnPackage + "," + mReturnClass); | |
| 79 | + if (DEBUG) { | |
| 80 | + Log.d(TAG, "onReceive request type: " + mRequestType); | |
| 81 | + } | |
| 85 | 82 | |
| 86 | 83 | // Even if the user has already made the choice, Bluetooth still may not know that if |
| 87 | 84 | // the user preference data have not been migrated from Settings app's shared |
| @@ -110,8 +107,6 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver { | ||
| 110 | 107 | connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE, |
| 111 | 108 | mRequestType); |
| 112 | 109 | connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_DEVICE, mDevice); |
| 113 | - connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_PACKAGE_NAME, mReturnPackage); | |
| 114 | - connectionAccessIntent.putExtra(BluetoothDevice.EXTRA_CLASS_NAME, mReturnClass); | |
| 115 | 110 | |
| 116 | 111 | String deviceAddress = mDevice != null ? mDevice.getAddress() : null; |
| 117 | 112 | String deviceName = mDevice != null ? mDevice.getName() : null; |
| @@ -230,7 +225,7 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver { | ||
| 230 | 225 | |
| 231 | 226 | LocalBluetoothManager bluetoothManager = Utils.getLocalBtManager(mContext); |
| 232 | 227 | CachedBluetoothDeviceManager cachedDeviceManager = |
| 233 | - bluetoothManager.getCachedDeviceManager(); | |
| 228 | + bluetoothManager.getCachedDeviceManager(); | |
| 234 | 229 | CachedBluetoothDevice cachedDevice = cachedDeviceManager.findDevice(mDevice); |
| 235 | 230 | if (cachedDevice == null) { |
| 236 | 231 | cachedDevice = cachedDeviceManager.addDevice(mDevice); |
| @@ -288,13 +283,9 @@ public final class BluetoothPermissionRequest extends BroadcastReceiver { | ||
| 288 | 283 | private void sendReplyIntentToReceiver(final boolean allowed) { |
| 289 | 284 | Intent intent = new Intent(BluetoothDevice.ACTION_CONNECTION_ACCESS_REPLY); |
| 290 | 285 | |
| 291 | - if (mReturnPackage != null && mReturnClass != null) { | |
| 292 | - intent.setClassName(mReturnPackage, mReturnClass); | |
| 293 | - } | |
| 294 | - | |
| 295 | 286 | intent.putExtra(BluetoothDevice.EXTRA_CONNECTION_ACCESS_RESULT, |
| 296 | - allowed ? BluetoothDevice.CONNECTION_ACCESS_YES | |
| 297 | - : BluetoothDevice.CONNECTION_ACCESS_NO); | |
| 287 | + allowed ? BluetoothDevice.CONNECTION_ACCESS_YES | |
| 288 | + : BluetoothDevice.CONNECTION_ACCESS_NO); | |
| 298 | 289 | intent.putExtra(BluetoothDevice.EXTRA_DEVICE, mDevice); |
| 299 | 290 | intent.putExtra(BluetoothDevice.EXTRA_ACCESS_REQUEST_TYPE, mRequestType); |
| 300 | 291 | mContext.sendBroadcast(intent, android.Manifest.permission.BLUETOOTH_ADMIN); |
| @@ -48,10 +48,10 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment { | ||
| 48 | 48 | |
| 49 | 49 | @VisibleForTesting |
| 50 | 50 | BluetoothProgressCategory mAvailableDevicesCategory; |
| 51 | + @VisibleForTesting | |
| 52 | + Context mContext; | |
| 51 | 53 | |
| 52 | 54 | private boolean mNeedAuth; |
| 53 | - private String mLaunchPackage; | |
| 54 | - private String mLaunchClass; | |
| 55 | 55 | private boolean mScanAllowed; |
| 56 | 56 | |
| 57 | 57 | public DevicePickerFragment() { |
| @@ -64,8 +64,6 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment { | ||
| 64 | 64 | mNeedAuth = intent.getBooleanExtra(BluetoothDevicePicker.EXTRA_NEED_AUTH, false); |
| 65 | 65 | setFilter(intent.getIntExtra(BluetoothDevicePicker.EXTRA_FILTER_TYPE, |
| 66 | 66 | BluetoothDevicePicker.FILTER_TYPE_ALL)); |
| 67 | - mLaunchPackage = intent.getStringExtra(BluetoothDevicePicker.EXTRA_LAUNCH_PACKAGE); | |
| 68 | - mLaunchClass = intent.getStringExtra(BluetoothDevicePicker.EXTRA_LAUNCH_CLASS); | |
| 69 | 67 | mAvailableDevicesCategory = (BluetoothProgressCategory) findPreference(KEY_BT_DEVICE_LIST); |
| 70 | 68 | } |
| 71 | 69 |
| @@ -85,6 +83,7 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment { | ||
| 85 | 83 | getActivity().setTitle(getString(R.string.device_picker)); |
| 86 | 84 | UserManager um = (UserManager) getSystemService(Context.USER_SERVICE); |
| 87 | 85 | mScanAllowed = !um.hasUserRestriction(DISALLOW_CONFIG_BLUETOOTH); |
| 86 | + mContext = getContext(); | |
| 88 | 87 | setHasOptionsMenu(true); |
| 89 | 88 | } |
| 90 | 89 |
| @@ -190,9 +189,7 @@ public final class DevicePickerFragment extends DeviceListPreferenceFragment { | ||
| 190 | 189 | private void sendDevicePickedIntent(BluetoothDevice device) { |
| 191 | 190 | Intent intent = new Intent(BluetoothDevicePicker.ACTION_DEVICE_SELECTED); |
| 192 | 191 | intent.putExtra(BluetoothDevice.EXTRA_DEVICE, device); |
| 193 | - if (mLaunchPackage != null && mLaunchClass != null) { | |
| 194 | - intent.setClassName(mLaunchPackage, mLaunchClass); | |
| 195 | - } | |
| 196 | - getActivity().sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN); | |
| 192 | + | |
| 193 | + mContext.sendBroadcast(intent, Manifest.permission.BLUETOOTH_ADMIN); | |
| 197 | 194 | } |
| 198 | 195 | } |
| @@ -0,0 +1,58 @@ | ||
| 1 | +/* | |
| 2 | + * Copyright (C) 2021 The Android Open Source Project | |
| 3 | + * | |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); | |
| 5 | + * you may not use this file except in compliance with the License. | |
| 6 | + * You may obtain a copy of the License at | |
| 7 | + * | |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 | |
| 9 | + * | |
| 10 | + * Unless required by applicable law or agreed to in writing, software | |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | + * See the License for the specific language governing permissions and | |
| 14 | + * limitations under the License. | |
| 15 | + */ | |
| 16 | + | |
| 17 | +package com.android.settings.bluetooth; | |
| 18 | + | |
| 19 | +import static org.mockito.ArgumentMatchers.eq; | |
| 20 | +import static org.mockito.Mockito.spy; | |
| 21 | +import static org.mockito.Mockito.verify; | |
| 22 | + | |
| 23 | +import android.content.Context; | |
| 24 | +import android.content.Intent; | |
| 25 | + | |
| 26 | +import org.junit.Before; | |
| 27 | +import org.junit.Test; | |
| 28 | +import org.junit.runner.RunWith; | |
| 29 | +import org.mockito.ArgumentCaptor; | |
| 30 | +import org.mockito.MockitoAnnotations; | |
| 31 | +import org.robolectric.RobolectricTestRunner; | |
| 32 | +import org.robolectric.RuntimeEnvironment; | |
| 33 | +import org.robolectric.util.ReflectionHelpers; | |
| 34 | + | |
| 35 | +@RunWith(RobolectricTestRunner.class) | |
| 36 | +public class BluetoothPermissionActivityTest { | |
| 37 | + | |
| 38 | + private BluetoothPermissionActivity mActivity; | |
| 39 | + private Context mContext; | |
| 40 | + | |
| 41 | + @Before | |
| 42 | + public void setUp() { | |
| 43 | + MockitoAnnotations.initMocks(this); | |
| 44 | + mContext = spy(RuntimeEnvironment.application); | |
| 45 | + mActivity = new BluetoothPermissionActivity(); | |
| 46 | + } | |
| 47 | + | |
| 48 | + @Test | |
| 49 | + public void sendBroadcastWithPermission() { | |
| 50 | + final ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class); | |
| 51 | + ReflectionHelpers.setField(mActivity, "mBase", mContext); | |
| 52 | + | |
| 53 | + mActivity.sendReplyIntentToReceiver(true, true); | |
| 54 | + | |
| 55 | + verify(mContext).sendBroadcast(intentCaptor.capture(), | |
| 56 | + eq("android.permission.BLUETOOTH_ADMIN")); | |
| 57 | + } | |
| 58 | +} |
| @@ -16,28 +16,43 @@ | ||
| 16 | 16 | |
| 17 | 17 | package com.android.settings.bluetooth; |
| 18 | 18 | |
| 19 | +import static org.mockito.ArgumentMatchers.eq; | |
| 20 | +import static org.mockito.Mockito.mock; | |
| 21 | +import static org.mockito.Mockito.spy; | |
| 19 | 22 | import static org.mockito.Mockito.verify; |
| 23 | +import static org.mockito.Mockito.when; | |
| 24 | + | |
| 25 | +import android.bluetooth.BluetoothDevice; | |
| 26 | +import android.content.Context; | |
| 27 | +import android.content.Intent; | |
| 28 | + | |
| 29 | +import com.android.settingslib.bluetooth.CachedBluetoothDevice; | |
| 20 | 30 | |
| 21 | 31 | import org.junit.Before; |
| 22 | 32 | import org.junit.Test; |
| 23 | 33 | import org.junit.runner.RunWith; |
| 34 | +import org.mockito.ArgumentCaptor; | |
| 24 | 35 | import org.mockito.Mock; |
| 25 | 36 | import org.mockito.MockitoAnnotations; |
| 26 | 37 | import org.robolectric.RobolectricTestRunner; |
| 38 | +import org.robolectric.RuntimeEnvironment; | |
| 27 | 39 | |
| 28 | 40 | @RunWith(RobolectricTestRunner.class) |
| 29 | 41 | public class DevicePickerFragmentTest { |
| 30 | 42 | |
| 31 | 43 | @Mock |
| 32 | 44 | private BluetoothProgressCategory mAvailableDevicesCategory; |
| 45 | + | |
| 33 | 46 | private DevicePickerFragment mFragment; |
| 47 | + private Context mContext; | |
| 34 | 48 | |
| 35 | 49 | @Before |
| 36 | 50 | public void setUp() { |
| 37 | 51 | MockitoAnnotations.initMocks(this); |
| 38 | 52 | |
| 39 | 53 | mFragment = new DevicePickerFragment(); |
| 40 | - | |
| 54 | + mContext = spy(RuntimeEnvironment.application); | |
| 55 | + mFragment.mContext = mContext; | |
| 41 | 56 | mFragment.mAvailableDevicesCategory = mAvailableDevicesCategory; |
| 42 | 57 | } |
| 43 | 58 |
| @@ -49,4 +64,18 @@ public class DevicePickerFragmentTest { | ||
| 49 | 64 | |
| 50 | 65 | verify(mAvailableDevicesCategory).setProgress(true); |
| 51 | 66 | } |
| 67 | + | |
| 68 | + @Test | |
| 69 | + public void sendBroadcastWithPermission() { | |
| 70 | + final CachedBluetoothDevice cachedDevice = mock(CachedBluetoothDevice.class); | |
| 71 | + final BluetoothDevice bluetoothDevice = mock(BluetoothDevice.class); | |
| 72 | + final ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class); | |
| 73 | + when(cachedDevice.getDevice()).thenReturn(bluetoothDevice); | |
| 74 | + mFragment.mSelectedDevice = bluetoothDevice; | |
| 75 | + | |
| 76 | + mFragment.onDeviceBondStateChanged(cachedDevice, BluetoothDevice.BOND_BONDED); | |
| 77 | + | |
| 78 | + verify(mContext).sendBroadcast(intentCaptor.capture(), | |
| 79 | + eq("android.permission.BLUETOOTH_ADMIN")); | |
| 80 | + } | |
| 52 | 81 | } |
Fork