Preventing component spoofing during getShortcutIntent (3997eaa6) · Commits · e / os / android_frameworks_base

core/java/android/app/ActivityManagerInternal.java

+8 −0

Original line number	Original line	Diff line number	Diff line
	@@ -568,6 +568,14 @@ public abstract class ActivityManagerInternal {
	int requestCode, @NonNull Intent intent, int flags, Bundle options,		int requestCode, @NonNull Intent intent, int flags, Bundle options,
	String ownerPkgName, int ownerUid);		String ownerPkgName, int ownerUid);

			/**
			* Effectively PendingIntent.getActivityForUser(), but the PendingIntent is
			* owned by the given uid rather than by the caller (i.e. the system).
			*/
			public abstract PendingIntent getPendingIntentActivityAsApp(
			int requestCode, @NonNull Intent[] intents, int flags, Bundle options,
			String ownerPkgName, int ownerUid);

	/**		/**
	* @return mBootTimeTempAllowlistDuration of ActivityManagerConstants.		* @return mBootTimeTempAllowlistDuration of ActivityManagerConstants.
	*/		*/

services/core/java/com/android/server/am/ActivityManagerService.java

+19 −5

Original line number	Original line	Diff line number	Diff line
	@@ -16151,6 +16151,14 @@ public class ActivityManagerService extends IActivityManager.Stub
	public PendingIntent getPendingIntentActivityAsApp(		public PendingIntent getPendingIntentActivityAsApp(
	int requestCode, @NonNull Intent intent, int flags, Bundle options,		int requestCode, @NonNull Intent intent, int flags, Bundle options,
	String ownerPkg, int ownerUid) {		String ownerPkg, int ownerUid) {
			return getPendingIntentActivityAsApp(requestCode, new Intent[] { intent }, flags,
			options, ownerPkg, ownerUid);
			}

			@Override
			public PendingIntent getPendingIntentActivityAsApp(
			int requestCode, @NonNull Intent[] intents, int flags, Bundle options,
			String ownerPkg, int ownerUid) {
	// system callers must explicitly set mutability state		// system callers must explicitly set mutability state
	final boolean flagImmutableSet = (flags & PendingIntent.FLAG_IMMUTABLE) != 0;		final boolean flagImmutableSet = (flags & PendingIntent.FLAG_IMMUTABLE) != 0;
	final boolean flagMutableSet = (flags & PendingIntent.FLAG_MUTABLE) != 0;		final boolean flagMutableSet = (flags & PendingIntent.FLAG_MUTABLE) != 0;
	@@ -16160,15 +16168,21 @@ public class ActivityManagerService extends IActivityManager.Stub
	}		}

	final Context context = ActivityManagerService.this.mContext;		final Context context = ActivityManagerService.this.mContext;
	String resolvedType = intent.resolveTypeIfNeeded(context.getContentResolver());		final ContentResolver resolver = context.getContentResolver();
			final int len = intents.length;
			final String[] resolvedTypes = new String[len];
			for (int i = 0; i < len; i++) {
			final Intent intent = intents[i];
			resolvedTypes[i] = intent.resolveTypeIfNeeded(resolver);
	intent.migrateExtraStreamToClipData(context);		intent.migrateExtraStreamToClipData(context);
	intent.prepareToLeaveProcess(context);		intent.prepareToLeaveProcess(context);
			}
	IIntentSender target =		IIntentSender target =
	ActivityManagerService.this.getIntentSenderWithFeatureAsApp(		ActivityManagerService.this.getIntentSenderWithFeatureAsApp(
	INTENT_SENDER_ACTIVITY, ownerPkg,		INTENT_SENDER_ACTIVITY, ownerPkg,
	context.getAttributionTag(), null, null, requestCode,		context.getAttributionTag(), null, null, requestCode,
	new Intent[] { intent },		intents,
	resolvedType != null ? new String[] { resolvedType } : null,		resolvedTypes,
	flags, options, UserHandle.getUserId(ownerUid), ownerUid);		flags, options, UserHandle.getUserId(ownerUid), ownerUid);
	return target != null ? new PendingIntent(target) : null;		return target != null ? new PendingIntent(target) : null;
	}		}

services/core/java/com/android/server/pm/LauncherAppsService.java

+8 −9

Original line number	Original line	Diff line number	Diff line
	@@ -698,14 +698,13 @@ public class LauncherAppsService extends SystemService {
	}		}
	final long ident = Binder.clearCallingIdentity();		final long ident = Binder.clearCallingIdentity();
	try {		try {
	return injectCreatePendingIntent(mContext.createPackageContextAsUser(packageName,		return injectCreatePendingIntent(0 /* requestCode */, intents,
	0, user), 0 /* requestCode */, intents, FLAG_MUTABLE, opts, user);		FLAG_MUTABLE, opts, packageName, mPackageManagerInternal.getPackageUid(
	} catch (PackageManager.NameNotFoundException e) {		packageName, PackageManager.MATCH_DIRECT_BOOT_AUTO,
	Slog.e(TAG, "Cannot create pending intent from shortcut " + shortcutId, e);		user.getIdentifier()));
	} finally {		} finally {
	Binder.restoreCallingIdentity(ident);		Binder.restoreCallingIdentity(ident);
	}		}
	return null;
	}		}

	@Override		@Override
	@@ -812,10 +811,10 @@ public class LauncherAppsService extends SystemService {
	}		}

	@VisibleForTesting		@VisibleForTesting
	PendingIntent injectCreatePendingIntent(Context context, int requestCode,		PendingIntent injectCreatePendingIntent(int requestCode, @NonNull Intent[] intents,
	@NonNull Intent[] intents, int flags, Bundle options, UserHandle user) {		int flags, Bundle options, String ownerPackage, int ownerUserId) {
	return PendingIntent.getActivitiesAsUser(context, requestCode, intents, flags, options,		return mActivityManagerInternal.getPendingIntentActivityAsApp(requestCode, intents,
	user);		flags, options, ownerPackage, ownerUserId);
	}		}

	@Override		@Override

services/tests/servicestests/src/com/android/server/pm/BaseShortcutManagerTest.java

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -635,8 +635,8 @@ public abstract class BaseShortcutManagerTest extends InstrumentationTestCase {
	}		}

	@Override		@Override
	PendingIntent injectCreatePendingIntent(Context context, int requestCode,		PendingIntent injectCreatePendingIntent(int requestCode, @NonNull Intent[] intents,
	@NonNull Intent[] intents, int flags, Bundle options, UserHandle user) {		int flags, Bundle options, String ownerPackage, int ownerUserId) {
	return new PendingIntent(mock(IIntentSender.class));		return new PendingIntent(mock(IIntentSender.class));
	}		}
	}		}