Fix crash when setting wallpaper from non-primary user.

Dianne Hackborn · Dianne Hackborn · commit 11941fd651be · 2012-09-07T15:50:26.000-07:00
When accessing a content provider, there is a check for whether
the provider can run in the caller's process; if so, even if the
provider is currently published, we return to the caller that it
can run locally.

This check was broken -- it had an old condition that allowed
content providers owned by the system UID to run in any other UID's
process.  This is wrong, since by definition the other
UIDs would not be able to access the data under the original UID.

We ran into this because the activity picker is part of the
android platform manifest, so runs as the system process.  However
it needs to run as the user who invoked it, so when coming from the
non-primary user we spin up a "system" process running as a uid of
that user.  Now when that process tries to access the settings
provider, the broken check would think that a new instance of the
settings provider should be created in the caller's process.

Change-Id: I7bf495ed8370cb271bdaec073d5b7dda9e38c546
diff --git a/services/java/com/android/server/am/ContentProviderRecord.java b/services/java/com/android/server/am/ContentProviderRecord.java
@@ -85,7 +85,7 @@ public ContentProviderHolder newHolder(ContentProviderConnection conn) {
 
     public boolean canRunHere(ProcessRecord app) {
         return (info.multiprocess || info.processName.equals(app.processName))
-                && (uid == Process.SYSTEM_UID || uid == app.info.uid);
+                && uid == app.info.uid;
     }
 
     public void addExternalProcessHandleLocked(IBinder token) {
diff --git a/services/java/com/android/server/pm/Settings.java b/services/java/com/android/server/pm/Settings.java
@@ -1259,7 +1259,7 @@ void writeLPr() {
                     final ArrayList<PackageCleanItem> pkgs = mPackagesToBeCleaned.valueAt(i);
                     for (int j=0; j<pkgs.size(); j++) {
                         serializer.startTag(null, "cleaning-package");
-                        PackageCleanItem item = pkgs.get(i);
+                        PackageCleanItem item = pkgs.get(j);
                         serializer.attribute(null, ATTR_NAME, item.packageName);
                         serializer.attribute(null, ATTR_CODE, item.andCode ? "true" : "false");
                         serializer.attribute(null, ATTR_USER, userStr);

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ public ContentProviderHolder newHolder(ContentProviderConnection conn) {`
`85`	`85`
`86`	`86`	`public boolean canRunHere(ProcessRecord app) {`
`87`	`87`	`return (info.multiprocess \|\| info.processName.equals(app.processName))`
`88`		`- && (uid == Process.SYSTEM_UID \|\| uid == app.info.uid);`
	`88`	`+ && uid == app.info.uid;`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`public void addExternalProcessHandleLocked(IBinder token) {`