Fix unsafe intent event logging (3c0fee06) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/am/ActivityManagerService.java

+9 −33

Original line number	Diff line number	Diff line
		@@ -101,7 +101,7 @@ import static android.text.format.DateUtils.DAY_IN_MILLIS;
		import static android.util.FeatureFlagUtils.SETTINGS_ENABLE_MONITOR_PHANTOM_PROCS;

		import static com.android.internal.protolog.ProtoLogGroup.WM_DEBUG_CONFIGURATION;
		import static com.android.internal.util.FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED;
		import static com.android.internal.util.FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__INTERNAL_NON_EXPORTED_COMPONENT_MATCH;
		import static com.android.internal.util.FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__NEW_MUTABLE_IMPLICIT_PENDING_INTENT_RETRIEVED;
		import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_ALL;
		import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_ALLOWLISTS;
		@@ -5585,8 +5585,11 @@ public class ActivityManagerService extends IActivityManager.Stub
		boolean isChangeEnabled = CompatChanges.isChangeEnabled(
		PendingIntent.BLOCK_MUTABLE_IMPLICIT_PENDING_INTENT,
		owningUid);
		logUnsafeMutableImplicitPi(packageName, resolvedTypes, owningUid, i, intent,
		isChangeEnabled);
		String resolvedType = resolvedTypes == null
		\|\| i >= resolvedTypes.length ? null : resolvedTypes[i];
		ActivityManagerUtils.logUnsafeIntentEvent(
		UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__NEW_MUTABLE_IMPLICIT_PENDING_INTENT_RETRIEVED,
		owningUid, intent, resolvedType, isChangeEnabled);
		if (isChangeEnabled) {
		String msg = packageName + ": Targeting U+ (version "
		+ Build.VERSION_CODES.UPSIDE_DOWN_CAKE + " and above) disallows"
		@@ -5652,24 +5655,6 @@ public class ActivityManagerService extends IActivityManager.Stub
		}
		}

		private void logUnsafeMutableImplicitPi(String packageName, String[] resolvedTypes,
		int owningUid, int i, Intent intent, boolean isChangeEnabled) {
		String[] categories = intent.getCategories() == null ? new String[0]
		: intent.getCategories().toArray(String[]::new);
		String resolvedType = resolvedTypes == null \|\| i >= resolvedTypes.length ? null
		: resolvedTypes[i];
		FrameworkStatsLog.write(UNSAFE_INTENT_EVENT_REPORTED,
		UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__NEW_MUTABLE_IMPLICIT_PENDING_INTENT_RETRIEVED,
		owningUid,
		null,
		packageName,
		intent.getAction(),
		categories,
		resolvedType,
		intent.getScheme(),
		isChangeEnabled);
		}

		@Override
		public int sendIntentSender(IApplicationThread caller, IIntentSender target,
		IBinder allowlistToken, int code, Intent intent, String resolvedType,
		@@ -12909,18 +12894,9 @@ public class ActivityManagerService extends IActivityManager.Stub
		boolean hasToBeExportedToMatch = platformCompat.isChangeEnabledByUid(
		ActivityManagerService.IMPLICIT_INTENTS_ONLY_MATCH_EXPORTED_COMPONENTS,
		callingUid);
		String[] categories = intent.getCategories() == null ? new String[0]
		: intent.getCategories().toArray(String[]::new);
		FrameworkStatsLog.write(UNSAFE_INTENT_EVENT_REPORTED,
		FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__INTERNAL_NON_EXPORTED_COMPONENT_MATCH,
		callingUid,
		componentInfo,
		callerPackage,
		intent.getAction(),
		categories,
		resolvedType,
		intent.getScheme(),
		hasToBeExportedToMatch);
		ActivityManagerUtils.logUnsafeIntentEvent(
		UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__INTERNAL_NON_EXPORTED_COMPONENT_MATCH,
		callingUid, intent, resolvedType, hasToBeExportedToMatch);
		if (!hasToBeExportedToMatch) {
		return;
		}

services/core/java/com/android/server/am/ActivityManagerUtils.java

+23 −0

Original line number	Diff line number	Diff line
		@@ -17,11 +17,13 @@ package com.android.server.am;

		import android.app.ActivityThread;
		import android.content.ContentResolver;
		import android.content.Intent;
		import android.provider.Settings;
		import android.util.ArrayMap;

		import com.android.internal.annotations.GuardedBy;
		import com.android.internal.annotations.VisibleForTesting;
		import com.android.internal.util.FrameworkStatsLog;

		import java.security.MessageDigest;
		import java.security.NoSuchAlgorithmException;
		@@ -133,4 +135,25 @@ public class ActivityManagerUtils {
		public static int hashComponentNameForAtom(String shortInstanceName) {
		return getUnsignedHashUnCached(shortInstanceName) ^ getAndroidIdHash();
		}

		/**
		* Helper method to log an unsafe intent event.
		*/
		public static void logUnsafeIntentEvent(int event, int callingUid,
		Intent intent, String resolvedType, boolean blocked) {
		String[] categories = intent.getCategories() == null ? new String[0]
		: intent.getCategories().toArray(String[]::new);
		String component = intent.getComponent() == null ? null
		: intent.getComponent().flattenToString();
		FrameworkStatsLog.write(FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED,
		event,
		callingUid,
		component,
		intent.getPackage(),
		intent.getAction(),
		categories,
		resolvedType,
		intent.getScheme(),
		blocked);
		}
		}

services/core/java/com/android/server/pm/PackageManagerServiceUtils.java

+18 −13

Original line number	Diff line number	Diff line
		@@ -24,6 +24,7 @@ import static android.system.OsConstants.O_CREAT;
		import static android.system.OsConstants.O_RDWR;

		import static com.android.internal.content.NativeLibraryHelper.LIB_DIR_NAME;
		import static com.android.internal.util.FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__EXPLICIT_INTENT_FILTER_UNMATCH;
		import static com.android.server.LocalManagerRegistry.ManagerNotFoundException;
		import static com.android.server.pm.PackageManagerService.COMPRESSED_EXTENSION;
		import static com.android.server.pm.PackageManagerService.DEBUG_COMPRESSION;
		@@ -94,6 +95,7 @@ import com.android.server.EventLogTags;
		import com.android.server.IntentResolver;
		import com.android.server.LocalManagerRegistry;
		import com.android.server.Watchdog;
		import com.android.server.am.ActivityManagerUtils;
		import com.android.server.compat.PlatformCompat;
		import com.android.server.pm.dex.PackageDexUsage;
		import com.android.server.pm.pkg.AndroidPackage;
		@@ -1186,12 +1188,6 @@ public class PackageManagerServiceUtils {
		continue;
		}

		// Only enforce filter matching if target app's target SDK >= T
		if (!compat.isChangeEnabledInternal(
		ENFORCE_INTENTS_TO_MATCH_INTENT_FILTERS, info.applicationInfo)) {
		continue;
		}

		final ParsedMainComponent comp;
		if (info instanceof ActivityInfo) {
		if (isReceiver) {
		@@ -1210,6 +1206,10 @@ public class PackageManagerServiceUtils {
		continue;
		}

		// Only enforce filter matching if target app's target SDK >= T
		final boolean enforce = compat.isChangeEnabledInternal(
		ENFORCE_INTENTS_TO_MATCH_INTENT_FILTERS, info.applicationInfo);

		boolean match = false;
		for (int j = 0, size = comp.getIntents().size(); j < size; ++j) {
		IntentFilter intentFilter = comp.getIntents().get(j).getIntentFilter();
		@@ -1219,6 +1219,10 @@ public class PackageManagerServiceUtils {
		}
		}
		if (!match) {
		ActivityManagerUtils.logUnsafeIntentEvent(
		UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__EXPLICIT_INTENT_FILTER_UNMATCH,
		filterCallingUid, intent, resolvedType, enforce);
		if (enforce) {
		Slog.w(TAG, "Intent does not match component's intent filter: " + intent);
		Slog.w(TAG, "Access blocked: " + comp.getComponentName());
		if (DEBUG_INTENT_MATCHING) {
		@@ -1230,6 +1234,7 @@ public class PackageManagerServiceUtils {
		}
		}
		}
		}


		/**

services/core/java/com/android/server/pm/ResolveIntentHelper.java

+5 −13

Original line number	Diff line number	Diff line
		@@ -18,6 +18,7 @@ package com.android.server.pm;

		import static android.os.Trace.TRACE_TAG_PACKAGE_MANAGER;

		import static com.android.internal.util.FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__INTERNAL_NON_EXPORTED_COMPONENT_MATCH;
		import static com.android.server.pm.PackageManagerService.DEBUG_INSTANT;
		import static com.android.server.pm.PackageManagerService.DEBUG_INTENT_MATCHING;
		import static com.android.server.pm.PackageManagerService.TAG;
		@@ -55,9 +56,9 @@ import android.util.Slog;

		import com.android.internal.app.ResolverActivity;
		import com.android.internal.util.ArrayUtils;
		import com.android.internal.util.FrameworkStatsLog;
		import com.android.server.LocalServices;
		import com.android.server.am.ActivityManagerService;
		import com.android.server.am.ActivityManagerUtils;
		import com.android.server.compat.PlatformCompat;
		import com.android.server.pm.pkg.AndroidPackage;
		import com.android.server.pm.pkg.PackageStateInternal;
		@@ -130,18 +131,9 @@ final class ResolveIntentHelper {
		boolean hasToBeExportedToMatch = platformCompat.isChangeEnabledByUid(
		ActivityManagerService.IMPLICIT_INTENTS_ONLY_MATCH_EXPORTED_COMPONENTS,
		filterCallingUid);
		String[] categories = intent.getCategories() == null ? new String[0]
		: intent.getCategories().toArray(String[]::new);
		FrameworkStatsLog.write(FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED,
		FrameworkStatsLog.UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__INTERNAL_NON_EXPORTED_COMPONENT_MATCH,
		filterCallingUid,
		query.get(i).getComponentInfo().getComponentName().flattenToShortString(),
		callerPackage,
		intent.getAction(),
		categories,
		resolvedType,
		intent.getScheme(),
		hasToBeExportedToMatch);
		ActivityManagerUtils.logUnsafeIntentEvent(
		UNSAFE_INTENT_EVENT_REPORTED__EVENT_TYPE__INTERNAL_NON_EXPORTED_COMPONENT_MATCH,
		filterCallingUid, intent, resolvedType, hasToBeExportedToMatch);
		if (callback != null) {
		handler.post(() -> {
		try {