Merge tag 'android-security-13.0.0_r26' of https://android.googlesour…

…ce.com/platform/packages/modules/Bluetooth into thirteen Android Security 13.0.0 Release 26 (12787467)
PixelExperience-LEGACY-edition · Feb 7, 2025 · 0662ee1 · 0662ee1
2 parents 38bfb1a + 755318b
commit 0662ee1
Show file tree

Hide file tree

Showing 3 changed files with 160 additions and 153 deletions.
diff --git a/android/app/src/com/android/bluetooth/btservice/BondStateMachine.java b/android/app/src/com/android/bluetooth/btservice/BondStateMachine.java
@@ -463,6 +463,13 @@ void sendIntent(BluetoothDevice device, int newState, int reason,
             }
         }
 
+        if (newState == BluetoothDevice.BOND_NONE) {
+            // Remove the permissions for unbonded devices
+            mAdapterService.setMessageAccessPermission(device, BluetoothDevice.ACCESS_UNKNOWN);
+            mAdapterService.setPhonebookAccessPermission(device, BluetoothDevice.ACCESS_UNKNOWN);
+            mAdapterService.setSimAccessPermission(device, BluetoothDevice.ACCESS_UNKNOWN);
+        }
+
         Intent intent = new Intent(BluetoothDevice.ACTION_BOND_STATE_CHANGED);
         intent.putExtra(BluetoothDevice.EXTRA_DEVICE, device);
         intent.putExtra(BluetoothDevice.EXTRA_BOND_STATE, newState);

diff --git a/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java b/android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java
@@ -32,13 +32,16 @@
 
 package com.android.bluetooth.opp;
 
+import static android.os.UserHandle.myUserId;
+
 import android.content.ContentResolver;
 import android.content.Context;
 import android.content.res.AssetFileDescriptor;
 import android.database.Cursor;
 import android.database.sqlite.SQLiteException;
 import android.net.Uri;
 import android.provider.OpenableColumns;
+import android.text.TextUtils;
 import android.util.EventLog;
 import android.util.Log;
 
@@ -49,6 +52,7 @@
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.util.Objects;
 
 /**
  * This class stores information about a single sending file It will only be
@@ -117,6 +121,11 @@ public static BluetoothOppSendFileInfo generateFileInfo(Context context, Uri uri
                 return SEND_FILE_INFO_ERROR;
             }
 
+            if (isContentUriForOtherUser(uri)) {
+                Log.e(TAG, "Uri: " + uri + " is invalid for user " + myUserId());
+                return SEND_FILE_INFO_ERROR;
+            }
+
             contentType = contentResolver.getType(uri);
             Cursor metadataCursor;
             try {
@@ -253,6 +262,12 @@ public static BluetoothOppSendFileInfo generateFileInfo(Context context, Uri uri
         return new BluetoothOppSendFileInfo(fileName, contentType, length, is, 0);
     }
 
+    private static boolean isContentUriForOtherUser(Uri uri) {
+        String uriUserId = uri.getUserInfo();
+        return !TextUtils.isEmpty(uriUserId)
+                && !Objects.equals(uriUserId, String.valueOf(myUserId()));
+    }
+
     private static long getStreamSize(FileInputStream is) throws IOException {
         long length = 0;
         byte[] unused = new byte[4096];