Make sure apps cannot forge package name on AssistStructure used for Autofill. (23e61a90) · Commits · e / os / android_frameworks_base

core/java/android/app/assist/AssistStructure.java

+10 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2058,6 +2058,16 @@ public class AssistStructure implements Parcelable {
	return mActivityComponent;		return mActivityComponent;
	}		}

			/**
			* Called by Autofill server when app forged a different value.
			*
			* @hide
			*/
			public void setActivityComponent(ComponentName componentName) {
			ensureData();
			mActivityComponent = componentName;
			}

	/** @hide */		/** @hide */
	public int getFlags() {		public int getFlags() {
	return mFlags;		return mFlags;

core/java/android/view/autofill/AutofillManager.java

+23 −3

Original line number	Original line	Diff line number	Diff line
	@@ -24,6 +24,8 @@ import android.annotation.IntDef;
	import android.annotation.NonNull;		import android.annotation.NonNull;
	import android.annotation.Nullable;		import android.annotation.Nullable;
	import android.annotation.SystemService;		import android.annotation.SystemService;
			import android.app.Activity;
			import android.content.ComponentName;
	import android.content.Context;		import android.content.Context;
	import android.content.Intent;		import android.content.Intent;
	import android.content.IntentSender;		import android.content.IntentSender;
	@@ -44,6 +46,7 @@ import android.view.View;
	import com.android.internal.annotations.GuardedBy;		import com.android.internal.annotations.GuardedBy;
	import com.android.internal.logging.MetricsLogger;		import com.android.internal.logging.MetricsLogger;
	import com.android.internal.logging.nano.MetricsProto.MetricsEvent;		import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
			import com.android.internal.util.Preconditions;

	import java.io.PrintWriter;		import java.io.PrintWriter;
	import java.lang.annotation.Retention;		import java.lang.annotation.Retention;
	@@ -390,7 +393,7 @@ public final class AutofillManager {
	* @hide		* @hide
	*/		*/
	public AutofillManager(Context context, IAutoFillManager service) {		public AutofillManager(Context context, IAutoFillManager service) {
	mContext = context;		mContext = Preconditions.checkNotNull(context, "context cannot be null");
	mService = service;		mService = service;
	}		}

	@@ -940,6 +943,13 @@ public final class AutofillManager {
	return mContext.getAutofillClient();		return mContext.getAutofillClient();
	}		}

			private ComponentName getComponentNameFromContext() {
			if (mContext instanceof Activity) {
			return ((Activity) mContext).getComponentName();
			}
			return null;
			}

	/** @hide */		/** @hide */
	public void onAuthenticationResult(int authenticationId, Intent data) {		public void onAuthenticationResult(int authenticationId, Intent data) {
	if (!hasAutofillFeature()) {		if (!hasAutofillFeature()) {
	@@ -990,9 +1000,14 @@ public final class AutofillManager {
	return;		return;
	}		}
	try {		try {
			final ComponentName componentName = getComponentNameFromContext();
			if (componentName == null) {
			Log.w(TAG, "startSessionLocked(): context is not activity: " + mContext);
			return;
			}
	mSessionId = mService.startSession(mContext.getActivityToken(),		mSessionId = mService.startSession(mContext.getActivityToken(),
	mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),		mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),
	mCallback != null, flags, mContext.getOpPackageName());		mCallback != null, flags, componentName);
	if (mSessionId != NO_SESSION) {		if (mSessionId != NO_SESSION) {
	mState = STATE_ACTIVE;		mState = STATE_ACTIVE;
	}		}
	@@ -1050,9 +1065,14 @@ public final class AutofillManager {

	try {		try {
	if (restartIfNecessary) {		if (restartIfNecessary) {
			final ComponentName componentName = getComponentNameFromContext();
			if (componentName == null) {
			Log.w(TAG, "startSessionLocked(): context is not activity: " + mContext);
			return;
			}
	final int newId = mService.updateOrRestartSession(mContext.getActivityToken(),		final int newId = mService.updateOrRestartSession(mContext.getActivityToken(),
	mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),		mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),
	mCallback != null, flags, mContext.getOpPackageName(), mSessionId, action);		mCallback != null, flags, componentName, mSessionId, action);
	if (newId != mSessionId) {		if (newId != mSessionId) {
	if (sDebug) Log.d(TAG, "Session restarted: " + mSessionId + "=>" + newId);		if (sDebug) Log.d(TAG, "Session restarted: " + mSessionId + "=>" + newId);
	mSessionId = newId;		mSessionId = newId;

core/java/android/view/autofill/IAutoFillManager.aidl

+4 −2

Original line number	Original line	Diff line number	Diff line
	@@ -16,6 +16,7 @@

	package android.view.autofill;		package android.view.autofill;

			import android.content.ComponentName;
	import android.graphics.Rect;		import android.graphics.Rect;
	import android.os.Bundle;		import android.os.Bundle;
	import android.os.IBinder;		import android.os.IBinder;
	@@ -34,14 +35,15 @@ interface IAutoFillManager {
	int addClient(in IAutoFillManagerClient client, int userId);		int addClient(in IAutoFillManagerClient client, int userId);
	int startSession(IBinder activityToken, in IBinder appCallback, in AutofillId autoFillId,		int startSession(IBinder activityToken, in IBinder appCallback, in AutofillId autoFillId,
	in Rect bounds, in AutofillValue value, int userId, boolean hasCallback, int flags,		in Rect bounds, in AutofillValue value, int userId, boolean hasCallback, int flags,
	String packageName);		in ComponentName componentName);
	FillEventHistory getFillEventHistory();		FillEventHistory getFillEventHistory();
	boolean restoreSession(int sessionId, in IBinder activityToken, in IBinder appCallback);		boolean restoreSession(int sessionId, in IBinder activityToken, in IBinder appCallback);
	void updateSession(int sessionId, in AutofillId id, in Rect bounds,		void updateSession(int sessionId, in AutofillId id, in Rect bounds,
	in AutofillValue value, int action, int flags, int userId);		in AutofillValue value, int action, int flags, int userId);
	int updateOrRestartSession(IBinder activityToken, in IBinder appCallback,		int updateOrRestartSession(IBinder activityToken, in IBinder appCallback,
	in AutofillId autoFillId, in Rect bounds, in AutofillValue value, int userId,		in AutofillId autoFillId, in Rect bounds, in AutofillValue value, int userId,
	boolean hasCallback, int flags, String packageName, int sessionId, int action);		boolean hasCallback, int flags, in ComponentName componentName, int sessionId,
			int action);
	void finishSession(int sessionId, int userId);		void finishSession(int sessionId, int userId);
	void cancelSession(int sessionId, int userId);		void cancelSession(int sessionId, int userId);
	void setAuthenticationResult(in Bundle data, int sessionId, int authenticationId, int userId);		void setAuthenticationResult(in Bundle data, int sessionId, int authenticationId, int userId);

proto/src/metrics_constants.proto

+13 −0

Original line number	Original line	Diff line number	Diff line
	@@ -4006,6 +4006,19 @@ message MetricsEvent {
	// OS: O		// OS: O
	FIELD_NOTIFICATION_GROUP_SUMMARY = 947;		FIELD_NOTIFICATION_GROUP_SUMMARY = 947;

			// An app attempted to forge a different component name in the AssisStructure that would be
			// passed to the autofill service.
			// OS: O (security patch)
			// Package: Real package of the app being autofilled
			// Tag FIELD_AUTOFILL_SERVICE: Package of the autofill service that processed the request
			// TAG FIELD_AUTOFILL_FORGED_COMPONENT_NAME: Component name being forged
			AUTOFILL_FORGED_COMPONENT_ATTEMPT = 948;

			// FIELD - The component that an app tried tro forged.
			// Type: string
			// OS: O (security patch)
			FIELD_AUTOFILL_FORGED_COMPONENT_NAME = 949;

	// ---- End O Constants, all O constants go above this line ----		// ---- End O Constants, all O constants go above this line ----

	// OPEN: Settings > System > Languages & input > Advanced > Lift to open camera		// OPEN: Settings > System > Languages & input > Advanced > Lift to open camera

services/autofill/java/com/android/server/autofill/AutofillManagerService.java

+8 −6

Original line number	Original line	Diff line number	Diff line
	@@ -533,25 +533,26 @@ public final class AutofillManagerService extends SystemService {
	@Override		@Override
	public int startSession(IBinder activityToken, IBinder appCallback, AutofillId autofillId,		public int startSession(IBinder activityToken, IBinder appCallback, AutofillId autofillId,
	Rect bounds, AutofillValue value, int userId, boolean hasCallback, int flags,		Rect bounds, AutofillValue value, int userId, boolean hasCallback, int flags,
	String packageName) {		ComponentName componentName) {

	activityToken = Preconditions.checkNotNull(activityToken, "activityToken");		activityToken = Preconditions.checkNotNull(activityToken, "activityToken");
	appCallback = Preconditions.checkNotNull(appCallback, "appCallback");		appCallback = Preconditions.checkNotNull(appCallback, "appCallback");
	autofillId = Preconditions.checkNotNull(autofillId, "autoFillId");		autofillId = Preconditions.checkNotNull(autofillId, "autoFillId");
	packageName = Preconditions.checkNotNull(packageName, "packageName");		componentName = Preconditions.checkNotNull(componentName, "componentName");
			final String packageName = Preconditions.checkNotNull(componentName.getPackageName());

	Preconditions.checkArgument(userId == UserHandle.getUserId(getCallingUid()), "userId");		Preconditions.checkArgument(userId == UserHandle.getUserId(getCallingUid()), "userId");

	try {		try {
	mContext.getPackageManager().getPackageInfoAsUser(packageName, 0, userId);		mContext.getPackageManager().getPackageInfoAsUser(packageName, 0, userId);
	} catch (PackageManager.NameNotFoundException e) {		} catch (PackageManager.NameNotFoundException e) {
	throw new IllegalArgumentException(packageName + " is not a valid package", e);		throw new IllegalArgumentException(componentName + " is not a valid package", e);
	}		}

	synchronized (mLock) {		synchronized (mLock) {
	final AutofillManagerServiceImpl service = getServiceForUserLocked(userId);		final AutofillManagerServiceImpl service = getServiceForUserLocked(userId);
	return service.startSessionLocked(activityToken, getCallingUid(), appCallback,		return service.startSessionLocked(activityToken, getCallingUid(), appCallback,
	autofillId, bounds, value, hasCallback, flags, packageName);		autofillId, bounds, value, hasCallback, flags, componentName);
	}		}
	}		}

	@@ -603,7 +604,8 @@ public final class AutofillManagerService extends SystemService {
	@Override		@Override
	public int updateOrRestartSession(IBinder activityToken, IBinder appCallback,		public int updateOrRestartSession(IBinder activityToken, IBinder appCallback,
	AutofillId autoFillId, Rect bounds, AutofillValue value, int userId,		AutofillId autoFillId, Rect bounds, AutofillValue value, int userId,
	boolean hasCallback, int flags, String packageName, int sessionId, int action) {		boolean hasCallback, int flags, ComponentName componentName, int sessionId,
			int action) {
	boolean restart = false;		boolean restart = false;
	synchronized (mLock) {		synchronized (mLock) {
	final AutofillManagerServiceImpl service = peekServiceForUserLocked(userId);		final AutofillManagerServiceImpl service = peekServiceForUserLocked(userId);
	@@ -614,7 +616,7 @@ public final class AutofillManagerService extends SystemService {
	}		}
	if (restart) {		if (restart) {
	return startSession(activityToken, appCallback, autoFillId, bounds, value, userId,		return startSession(activityToken, appCallback, autoFillId, bounds, value, userId,
	hasCallback, flags, packageName);		hasCallback, flags, componentName);
	}		}

	// Nothing changed...		// Nothing changed...