Merge "Add checks to allow SDK sandbox uids to broadcast certain intents" into... (494f17c1) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/am/ActivityManagerService.java

+10 −0

Original line number	Diff line number	Diff line
		@@ -13648,6 +13648,16 @@ public class ActivityManagerService extends IActivityManager.Stub
		intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
		}

		if (Process.isSdkSandboxUid(realCallingUid)) {
		SdkSandboxManagerLocal sdkSandboxManagerLocal = LocalManagerRegistry.getManager(
		SdkSandboxManagerLocal.class);
		if (sdkSandboxManagerLocal == null) {
		throw new IllegalStateException("SdkSandboxManagerLocal not found when sending"
		+ " a broadcast from an SDK sandbox uid.");
		}
		sdkSandboxManagerLocal.enforceAllowedToSendBroadcast(intent);
		}

		switch (action) {
		case Intent.ACTION_MEDIA_SCANNER_SCAN_FILE:
		UserManagerInternal umInternal = LocalServices.getService(

services/core/java/com/android/server/wm/ActivityStarter.java

+15 −0

Original line number	Diff line number	Diff line
		@@ -1337,6 +1337,21 @@ class ActivityStarter {
		: (realCallingAppId == Process.SYSTEM_UID)
		\|\| realCallingUidProcState <= ActivityManager.PROCESS_STATE_PERSISTENT_UI;

		// In the case of an SDK sandbox calling uid, check if the corresponding app uid has a
		// visible window.
		if (Process.isSdkSandboxUid(realCallingUid)) {
		int realCallingSdkSandboxUidToAppUid = Process.getAppUidForSdkSandboxUid(
		UserHandle.getAppId(realCallingUid));

		if (mService.hasActiveVisibleWindow(realCallingSdkSandboxUidToAppUid)) {
		if (DEBUG_ACTIVITY_STARTS) {
		Slog.d(TAG, "Activity start allowed: uid in SDK sandbox ("
		+ realCallingUid + ") has visible (non-toast) window.");
		}
		return false;
		}
		}

		// Legacy behavior allows to use caller foreground state to bypass BAL restriction.
		final boolean balAllowedByPiSender =
		PendingIntentRecord.isPendingIntentBalAllowedByCaller(checkedOptions);

services/core/java/com/android/server/wm/ActivityTaskManagerService.java

+11 −0

Original line number	Diff line number	Diff line
		@@ -244,6 +244,7 @@ import com.android.internal.util.ArrayUtils;
		import com.android.internal.util.FastPrintWriter;
		import com.android.internal.util.FrameworkStatsLog;
		import com.android.internal.util.function.pooled.PooledLambda;
		import com.android.server.LocalManagerRegistry;
		import com.android.server.LocalServices;
		import com.android.server.SystemService;
		import com.android.server.SystemServiceManager;
		@@ -260,6 +261,7 @@ import com.android.server.am.UserState;
		import com.android.server.firewall.IntentFirewall;
		import com.android.server.pm.UserManagerService;
		import com.android.server.policy.PermissionPolicyInternal;
		import com.android.server.sdksandbox.SdkSandboxManagerLocal;
		import com.android.server.statusbar.StatusBarManagerInternal;
		import com.android.server.uri.NeededUriGrants;
		import com.android.server.uri.UriGrantsManagerInternal;
		@@ -1212,6 +1214,15 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub {
		ProfilerInfo profilerInfo, Bundle bOptions, int userId, boolean validateIncomingUser) {
		assertPackageMatchesCallingUid(callingPackage);
		enforceNotIsolatedCaller("startActivityAsUser");
		if (Process.isSdkSandboxUid(Binder.getCallingUid())) {
		SdkSandboxManagerLocal sdkSandboxManagerLocal = LocalManagerRegistry.getManager(
		SdkSandboxManagerLocal.class);
		if (sdkSandboxManagerLocal == null) {
		throw new IllegalStateException("SdkSandboxManagerLocal not found when starting"
		+ " an activity from an SDK sandbox uid.");
		}
		sdkSandboxManagerLocal.enforceAllowedToStartActivity(intent);
		}

		userId = getActivityStartController().checkTargetUser(userId, validateIncomingUser,
		Binder.getCallingPid(), Binder.getCallingUid(), "startActivityAsUser");

services/tests/wmtests/Android.bp

+1 −0

Original line number	Diff line number	Diff line
		@@ -58,6 +58,7 @@ android_test {
		"hamcrest-library",
		"platform-compat-test-rules",
		"CtsSurfaceValidatorLib",
		"service-sdksandbox.impl",
		],

		libs: [