SECURITY FIX: Fix package uids being reused between uninstall and rei…

…nstall of different packages. Policies for older packages were being granted to the newly installed package that got the recyled uid. Change-Id: I73d2beea8bd3497a9ea5c61a9e7a97ac9e599c82
koush · Mar 30, 2013 · 3dcccd3 · 3dcccd3 · toyrons098 · Jan 28, 2016
1 parent 263fb47
commit 3dcccd3
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/Superuser/AndroidManifest.xml b/Superuser/AndroidManifest.xml
@@ -94,9 +94,24 @@
         <receiver android:name=".SuCheckerReceiver" >
             <intent-filter>
                 <action android:name="android.intent.action.BOOT_COMPLETED" />
-                <!-- <action android:name="internal.superuser.BOOT_TEST" /> -->
             </intent-filter>
         </receiver>
+
+        <receiver android:name=".PackageChangeReceiver" >
+            <intent-filter>
+                <action android:name="android.intent.action.PACKAGE_ADDED" />
+                <data android:scheme="package" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.BOOT_COMPLETED" />
+                <data android:scheme="package" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.PACKAGE_REMOVED" />
+                <data android:scheme="package" />
+            </intent-filter>
+        </receiver>
+
     </application>
 
 </manifest>
diff --git a/Superuser/src/com/koushikdutta/superuser/PackageChangeReceiver.java b/Superuser/src/com/koushikdutta/superuser/PackageChangeReceiver.java
@@ -0,0 +1,53 @@
+package com.koushikdutta.superuser;
+
+import java.util.ArrayList;
+
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.text.TextUtils;
+
+import com.koushikdutta.superuser.db.SuDatabaseHelper;
+import com.koushikdutta.superuser.db.UidPolicy;
+
+public class PackageChangeReceiver extends BroadcastReceiver {
+    @Override
+    public void onReceive(final Context context, Intent intent) {
+        new Thread() {
+            public void run() {
+                ArrayList<UidPolicy> policies = SuDatabaseHelper.getPolicies(context);
+
+                if (policies == null)
+                    return;
+
+                final PackageManager pm = context.getPackageManager();
+                for (UidPolicy policy: policies) {
+                    // if the uid did not have a package name at creation time,
+                    // it may be a nameless or unresolveable uid... 
+                    // ie, I can do something like:
+                    // su - 5050
+                    // # 5050 has no name, so the following su will be an empty package name
+                    // su
+                    // 
+                    // ignore this null package name as valid.
+                    if (TextUtils.isEmpty(policy.packageName))
+                        continue;
+                    try {
+                        boolean found = false;
+                        String[] names = pm.getPackagesForUid(policy.uid);
+                        for (String name: names) {
+                            if (name.equals(policy.packageName))
+                                found = true;
+                        }
+                        if (!found)
+                            throw new Exception("no package name match");
+                    }
+                    catch (Exception e) {
+                        SuDatabaseHelper.delete(context, policy);
+                    }
+                }
+            };
+        }.start();
+    }
+}