Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 07561c7d authored by Nan Wu's avatar Nan Wu Committed by Android Build Coastguard Worker
Browse files

RESTRICT AUTOMERGE Allow an activity to start a new task via startNextMatchingActivity 

A vulnerability bug fix (b/230492947) causes this no longer works.
We cannot simply fix the issue by trying to avoid move the task to
the front. The real reason is that startNextMatchingActivity uses
launchedFromUid (the app the lauches the orignal activity) to as
the callingUid and realCallingUid to launch the next matching
activity - though setting callingUid is largely irrelevant because
ActivityStarter sets it to caller app's uid if the caller is set;
In this case, the caller is set to the app that calls the method.
But for BAL purpose, this is not good because the launched
from app might have privileges, such as the Launcher app. Change the
realCallingUid to the activity that calls startNextMatchingActivity.

Bug: 337726734
Test: Manual test. BackgroundActivityLaunchTest#testBackgroundActivityBlockedInStartNextMatchingActivity
Flag: EXEMPT Bug Fix
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d34ae40f870d4362a069940a035a4d58a536a231)
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:f556abab8c6f4786326647e0144bb6a018adc605
Merged-In: Ia8c6123e8e9325d17d2bfab9589b11eb087da97a
Change-Id: Ia8c6123e8e9325d17d2bfab9589b11eb087da97a
parent 0d6bfc8a

services/core/java/com/android/server/wm/ActivityTaskManagerService.java

+26 −16
Original line number Original line Diff line number Diff line
@@ -1410,13 +1410,23 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
                resultTo.removeResultsLocked(r, resultWho, requestCode);

                resultTo.removeResultsLocked(r, resultWho, requestCode);

            }

            }





            final int origCallingUid = Binder.getCallingUid();

            final int origCallingPid = Binder.getCallingPid();

            final long origId = Binder.clearCallingIdentity();

            final long origId = Binder.clearCallingIdentity();

            // TODO(b/64750076): Check if calling pid should really be -1.

            // TODO(b/64750076): Check if calling pid should really be -1.

            try {

            try {

                if (options == null) {

                if (options == null) {

                    options = new SafeActivityOptions(ActivityOptions.makeBasic());

                    options = new SafeActivityOptions(ActivityOptions.makeBasic());

                }

                }

                options.getOptions(r).setAvoidMoveToFront();



                // Fixes b/230492947 b/337726734

                // Prevents background activity launch through #startNextMatchingActivity

                // launchedFromUid of the calling activity represents the app that launches it.

                // It may have BAL privileges (i.e. the Launcher App). Using its identity to

                // launch to launch next matching activity causes BAL.

                // Change the realCallingUid to the calling activity's uid.

                // In ActivityStarter, when caller is set, the callingUid and callingPid are

                // ignored. So now both callingUid and realCallingUid is set to the caller app.

                final int res = getActivityStartController()

                final int res = getActivityStartController()

                        .obtainStarter(intent, "startNextMatchingActivity")

                        .obtainStarter(intent, "startNextMatchingActivity")

                        .setCaller(r.app.getThread())

                        .setCaller(r.app.getThread())
@@ -1429,8 +1439,8 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
                        .setCallingUid(r.launchedFromUid)

                        .setCallingUid(r.launchedFromUid)

                        .setCallingPackage(r.launchedFromPackage)

                        .setCallingPackage(r.launchedFromPackage)

                        .setCallingFeatureId(r.launchedFromFeatureId)

                        .setCallingFeatureId(r.launchedFromFeatureId)

                    .setRealCallingPid(-1)

                        .setRealCallingPid(origCallingPid)

                    .setRealCallingUid(r.launchedFromUid)

                        .setRealCallingUid(origCallingUid)

                        .setActivityOptions(options)

                        .setActivityOptions(options)

                        .execute();

                        .execute();

                r.finishing = wasFinishing;

                r.finishing = wasFinishing;