Merge "Security-related cleanup for network scoring." into lmp-dev

Author: jpd236

core/java/android/net/NetworkScoreManager.java

@@ -16,6 +16,7 @@
 
 package android.net;
 
+import android.Manifest;
 import android.annotation.SdkConstant;
 import android.annotation.SdkConstant.SdkConstantType;
 import android.annotation.SystemApi;
@@ -25,6 +26,7 @@
 import android.os.IBinder;
 import android.os.RemoteException;
 import android.os.ServiceManager;
+import android.os.UserHandle;
 
 /**
  * Class that manages communication between network subsystems and a network scorer.
@@ -238,7 +240,9 @@ public boolean requestScores(NetworkKey[] networks) throws SecurityException {
         intent.setPackage(activeScorer);
         intent.setFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY_BEFORE_BOOT);
         intent.putExtra(EXTRA_NETWORKS_TO_SCORE, networks);
-        mContext.sendBroadcast(intent);
+        // A scorer should never become active if its package doesn't hold SCORE_NETWORKS, but
+        // ensure the package still holds it to be extra safe.
+        mContext.sendBroadcastAsUser(intent, UserHandle.OWNER, Manifest.permission.SCORE_NETWORKS);
         return true;
     }
 

core/java/android/net/NetworkScorerAppManager.java

@@ -16,6 +16,7 @@
 
 package android.net;
 
+import android.Manifest;
 import android.Manifest.permission;
 import android.annotation.Nullable;
 import android.app.AppOpsManager;
@@ -24,6 +25,7 @@
 import android.content.pm.ActivityInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.ResolveInfo;
+import android.os.UserHandle;
 import android.provider.Settings;
 import android.text.TextUtils;
 import android.util.Log;
@@ -86,7 +88,9 @@ public static Collection<NetworkScorerAppData> getAllValidScorers(Context contex
         List<NetworkScorerAppData> scorers = new ArrayList<>();
 
         PackageManager pm = context.getPackageManager();
-        List<ResolveInfo> receivers = pm.queryBroadcastReceivers(SCORE_INTENT, 0 /* flags */);
+        // Only apps installed under the primary user of the device can be scorers.
+        List<ResolveInfo> receivers =
+                pm.queryBroadcastReceivers(SCORE_INTENT, 0 /* flags */, UserHandle.USER_OWNER);
         for (ResolveInfo receiver : receivers) {
             // This field is a misnomer, see android.content.pm.ResolveInfo#activityInfo
             final ActivityInfo receiverInfo = receiver.activityInfo;
@@ -186,10 +190,14 @@ public static boolean isCallerActiveScorer(Context context, int callingUid) {
         AppOpsManager appOpsMgr = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE);
         try {
             appOpsMgr.checkPackage(callingUid, defaultApp.mPackageName);
-            return true;
         } catch (SecurityException e) {
             return false;
         }
+
+        // To be extra safe, ensure the caller holds the SCORE_NETWORKS permission. It always
+        // should, since it couldn't become the active scorer otherwise, but this can't hurt.
+        return context.checkCallingPermission(Manifest.permission.SCORE_NETWORKS) ==
+                PackageManager.PERMISSION_GRANTED;
     }
 
     /** Returns the {@link NetworkScorerAppData} for the given app, or null if it's not a scorer. */

services/core/java/com/android/server/NetworkScoreService.java

@@ -29,6 +29,7 @@
 import android.net.ScoredNetwork;
 import android.os.Binder;
 import android.os.RemoteException;
+import android.os.UserHandle;
 import android.text.TextUtils;
 import android.util.Log;
 
@@ -164,7 +165,7 @@ private boolean setScorerInternal(String packageName) {
             if (result) {
                 Intent intent = new Intent(NetworkScoreManager.ACTION_SCORER_CHANGED);
                 intent.putExtra(NetworkScoreManager.EXTRA_NEW_SCORER, packageName);
-                mContext.sendBroadcast(intent);
+                mContext.sendBroadcastAsUser(intent, UserHandle.ALL);
             }
             return result;
         } finally {