Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3ef3a815 authored by Achim Thesmann's avatar Achim Thesmann
Browse files

Always allow BAL for system. 

This automatically opts in all activity starts by system processes
to grant the system process' BAL privileges.

The reason for this is that shared UID for system processes is common
and most automated tests actually ran against configurations that have
additional packages installed that downgrade the system process' target
SDK. This is also true for the droidfood population, that is running
userdebug/eng builds.
With the lower target SDK of the system UID the CompatChange call that
means for the droidfood population and even for many tests that run
against non-pure (i.e. -user) configurations the feature was likely
not fully activated (only for app processes).
While we have data from the droidfood population that indicates the
potential for breakages is limited we decided that it would be better to
allow system processes to start BAL and reduce those privileges with the
next qpr (especially since only system processes will be affected).

This reduces the impact of the BAL hardening, but allows us to keep the
logic in place and try to remove this workaround later.

Related bug: b/282922910 - IsChangeEnabledByUid() returning different values in user vs userdebug

Test: atest BackgroundActivityLaunchTest ActivityStarterTests
Bug: 283138430
Change-Id: If1891a4edba38c77986e6e391cdc65c841f2e993
parent af89904f

services/core/java/com/android/server/am/PendingIntentRecord.java

+9 −0
Original line number Diff line number Diff line
@@ -42,6 +42,7 @@ import android.os.Bundle; 
import android.os.IBinder;

import android.os.PowerWhitelistManager;

import android.os.PowerWhitelistManager.ReasonCode;

import android.os.Process;

import android.os.RemoteCallbackList;

import android.os.RemoteException;

import android.os.TransactionTooLargeException;
@@ -382,6 +383,14 @@ public final class PendingIntentRecord extends IIntentSender.Stub { 
            })

    public static BackgroundStartPrivileges getDefaultBackgroundStartPrivileges(

            int callingUid) {

        if (UserHandle.getAppId(callingUid) == Process.SYSTEM_UID) {

            // We temporarily allow BAL for system processes, while we verify that all valid use

            // cases are opted in explicitly to grant their BAL permission.

            // Background: In many cases devices are running additional apps that share UID with

            // the system. If one of these apps targets a lower SDK the change is not active, but

            // as soon as that app is upgraded (or removed) BAL would be blocked. (b/283138430)

            return BackgroundStartPrivileges.ALLOW_BAL;

        }

        boolean isChangeEnabledForApp = CompatChanges.isChangeEnabled(

                DEFAULT_RESCIND_BAL_PRIVILEGES_FROM_PENDING_INTENT_SENDER, callingUid);

        if (isChangeEnabledForApp) {