DO NOT MERGE. Add a permissions check to LocationManagerService.

Prevents apps from reading location requests of other users without INTERACT_ACROSS_USERS permission. Bug: 222473855 Test: Build Change-Id: Id591cd39ed7813c649b44d4a3210f0b1fb79b40d (cherry picked from commit 16560c09)

DO NOT MERGE. Add a permissions check to LocationManagerService.
5b376bc9 · Brian Julian · f6e715f9 · 5b376bc9
Commit 5b376bc9 authored 3 years ago by Brian Julian
--- a/services/core/java/com/android/server/location/LocationManagerService.java
+++ b/services/core/java/com/android/server/location/LocationManagerService.java
@@ -17,6 +17,7 @@
 package com.android.server.location;

 import static android.Manifest.permission.ACCESS_FINE_LOCATION;
+import static android.Manifest.permission.INTERACT_ACROSS_USERS;
 import static android.app.compat.CompatChanges.isChangeEnabled;
 import static android.content.pm.PackageManager.MATCH_DIRECT_BOOT_AWARE;
 import static android.content.pm.PackageManager.MATCH_SYSTEM_ONLY;
@@ -39,6 +40,7 @@ import android.Manifest;
 import android.Manifest.permission;
 import android.annotation.NonNull;
 import android.annotation.Nullable;
+import android.annotation.RequiresPermission;
 import android.app.ActivityManager;
 import android.app.AppOpsManager;
 import android.app.PendingIntent;
@@ -1063,8 +1065,10 @@ public class LocationManagerService extends ILocationManager.Stub implements

    @Override
    public void addProviderRequestListener(IProviderRequestListener listener) {
-        for (LocationProviderManager manager : mProviderManagers) {
-            manager.addProviderRequestListener(listener);
+        if (mContext.checkCallingOrSelfPermission(INTERACT_ACROSS_USERS) == PERMISSION_GRANTED) {
+            for (LocationProviderManager manager : mProviderManagers) {
+                manager.addProviderRequestListener(listener);
+            }
        }
    }