Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6c418d58 authored by Dianne Hackborn's avatar Dianne Hackborn
Browse files

Fix issue #4902856: Don't let apps register non-explicit PendingIntents 

Location manager now checks for such intents, and logs a warning when
they are given to it.  Nothing thrown yet, it needs to check the
targetSdkVersion of the caller somehow.

When sending the pending intent, we require that the recipient hold the
appropriate permission.  This should pretty much close the security hole.

Includes a bunch of infrastructure in the activity manager needed to
support all this.

Change-Id: I4dba7a98a7b8bbb9e347666451aa9cb1efad1848
parent 04deb7bb

core/java/android/app/ActivityManagerNative.java

+27 −2
Original line number Diff line number Diff line
@@ -251,12 +251,13 @@ public abstract class ActivityManagerNative extends Binder implements IActivityM 
            IBinder b = data.readStrongBinder();

            IApplicationThread app =

                b != null ? ApplicationThreadNative.asInterface(b) : null;

            String packageName = data.readString();

            b = data.readStrongBinder();

            IIntentReceiver rec

                = b != null ? IIntentReceiver.Stub.asInterface(b) : null;

            IntentFilter filter = IntentFilter.CREATOR.createFromParcel(data);

            String perm = data.readString();

            Intent intent = registerReceiver(app, rec, filter, perm);

            Intent intent = registerReceiver(app, packageName, rec, filter, perm);

            reply.writeNoException();

            if (intent != null) {

                reply.writeInt(1);
@@ -1503,6 +1504,16 @@ public abstract class ActivityManagerNative extends Binder implements IActivityM 
            return true;

        }



        case IS_INTENT_SENDER_TARGETED_TO_PACKAGE_TRANSACTION: {

            data.enforceInterface(IActivityManager.descriptor);

            IIntentSender r = IIntentSender.Stub.asInterface(

                data.readStrongBinder());

            boolean res = isIntentSenderTargetedToPackage(r);

            reply.writeNoException();

            reply.writeInt(res ? 1 : 0);

            return true;

        }



        }



        return super.onTransact(code, data, reply, flags);
@@ -1702,7 +1713,7 @@ class ActivityManagerProxy implements IActivityManager 
        reply.recycle();

        return res;

    }

    public Intent registerReceiver(IApplicationThread caller,

    public Intent registerReceiver(IApplicationThread caller, String packageName,

            IIntentReceiver receiver,

            IntentFilter filter, String perm) throws RemoteException

    {
@@ -1710,6 +1721,7 @@ class ActivityManagerProxy implements IActivityManager 
        Parcel reply = Parcel.obtain();

        data.writeInterfaceToken(IActivityManager.descriptor);

        data.writeStrongBinder(caller != null ? caller.asBinder() : null);

        data.writeString(packageName);

        data.writeStrongBinder(receiver != null ? receiver.asBinder() : null);

        filter.writeToParcel(data, 0);

        data.writeString(perm);
@@ -3385,5 +3397,18 @@ class ActivityManagerProxy implements IActivityManager 
        reply.recycle();

    }



    public boolean isIntentSenderTargetedToPackage(IIntentSender sender) throws RemoteException {

        Parcel data = Parcel.obtain();

        Parcel reply = Parcel.obtain();

        data.writeInterfaceToken(IActivityManager.descriptor);

        data.writeStrongBinder(sender.asBinder());

        mRemote.transact(IS_INTENT_SENDER_TARGETED_TO_PACKAGE_TRANSACTION, data, reply, 0);

        reply.readException();

        boolean res = reply.readInt() != 0;

        data.recycle();

        reply.recycle();

        return res;

    }



    private IBinder mRemote;

}

core/java/android/app/ContextImpl.java

+8 −6
Original line number Diff line number Diff line
@@ -61,7 +61,6 @@ import android.net.wifi.IWifiManager; 
import android.net.wifi.WifiManager;

import android.nfc.NfcManager;

import android.os.Binder;

import android.os.Build;

import android.os.Bundle;

import android.os.DropBoxManager;

import android.os.Environment;
@@ -81,7 +80,6 @@ import android.content.ClipboardManager; 
import android.util.AndroidRuntimeException;

import android.util.Log;

import android.view.ContextThemeWrapper;

import android.view.Display;

import android.view.WindowManagerImpl;

import android.view.accessibility.AccessibilityManager;

import android.view.inputmethod.InputMethodManager;
@@ -142,6 +140,7 @@ class ContextImpl extends Context { 
            new HashMap<String, SharedPreferencesImpl>();



    /*package*/ LoadedApk mPackageInfo;

    private String mBasePackageName;

    private Resources mResources;

    /*package*/ ActivityThread mMainThread;

    private Context mOuterContext;
@@ -1030,7 +1029,7 @@ class ContextImpl extends Context { 
        }

        try {

            return ActivityManagerNative.getDefault().registerReceiver(

                    mMainThread.getApplicationThread(),

                    mMainThread.getApplicationThread(), mBasePackageName,

                    rd, filter, broadcastPermission);

        } catch (RemoteException e) {

            return null;
@@ -1397,7 +1396,7 @@ class ContextImpl extends Context { 
        if (pi != null) {

            ContextImpl c = new ContextImpl();

            c.mRestricted = (flags & CONTEXT_RESTRICTED) == CONTEXT_RESTRICTED;

            c.init(pi, null, mMainThread, mResources);

            c.init(pi, null, mMainThread, mResources, mBasePackageName);

            if (c.mResources != null) {

                return c;

            }
@@ -1450,6 +1449,7 @@ class ContextImpl extends Context { 
     */

    public ContextImpl(ContextImpl context) {

        mPackageInfo = context.mPackageInfo;

        mBasePackageName = context.mBasePackageName;

        mResources = context.mResources;

        mMainThread = context.mMainThread;

        mContentResolver = context.mContentResolver;
@@ -1458,13 +1458,14 @@ class ContextImpl extends Context { 


    final void init(LoadedApk packageInfo,

            IBinder activityToken, ActivityThread mainThread) {

        init(packageInfo, activityToken, mainThread, null);

        init(packageInfo, activityToken, mainThread, null, null);

    }



    final void init(LoadedApk packageInfo,

                IBinder activityToken, ActivityThread mainThread,

                Resources container) {

                Resources container, String basePackageName) {

        mPackageInfo = packageInfo;

        mBasePackageName = basePackageName != null ? basePackageName : packageInfo.mPackageName;

        mResources = mPackageInfo.getResources(mainThread);



        if (mResources != null && container != null
@@ -1485,6 +1486,7 @@ class ContextImpl extends Context { 


    final void init(Resources resources, ActivityThread mainThread) {

        mPackageInfo = null;

        mBasePackageName = null;

        mResources = resources;

        mMainThread = mainThread;

        mContentResolver = new ApplicationContentResolver(this, mainThread);

core/java/android/app/IActivityManager.java

+4 −1
Original line number Diff line number Diff line
@@ -103,7 +103,7 @@ public interface IActivityManager extends IInterface { 
            throws RemoteException;

    public void finishSubActivity(IBinder token, String resultWho, int requestCode) throws RemoteException;

    public boolean willActivityBeVisible(IBinder token) throws RemoteException;

    public Intent registerReceiver(IApplicationThread caller,

    public Intent registerReceiver(IApplicationThread caller, String callerPackage,

            IIntentReceiver receiver, IntentFilter filter,

            String requiredPermission) throws RemoteException;

    public void unregisterReceiver(IIntentReceiver receiver) throws RemoteException;
@@ -361,6 +361,8 @@ public interface IActivityManager extends IInterface { 
    public void registerProcessObserver(IProcessObserver observer) throws RemoteException;

    public void unregisterProcessObserver(IProcessObserver observer) throws RemoteException;



    public boolean isIntentSenderTargetedToPackage(IIntentSender sender) throws RemoteException;



    /*

     * Private non-Binder interfaces

     */
@@ -587,4 +589,5 @@ public interface IActivityManager extends IInterface { 
    int REMOVE_TASK_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+131;

    int REGISTER_PROCESS_OBSERVER_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+132;

    int UNREGISTER_PROCESS_OBSERVER_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+133;

    int IS_INTENT_SENDER_TARGETED_TO_PACKAGE_TRANSACTION = IBinder.FIRST_CALL_TRANSACTION+134;

}

core/java/android/app/PendingIntent.java

+64 −6
Original line number Diff line number Diff line
@@ -365,7 +365,7 @@ public final class PendingIntent implements Parcelable { 
     * is no longer allowing more intents to be sent through it.

     */

    public void send() throws CanceledException {

        send(null, 0, null, null, null);

        send(null, 0, null, null, null, null);

    }



    /**
@@ -379,7 +379,7 @@ public final class PendingIntent implements Parcelable { 
     * is no longer allowing more intents to be sent through it.

     */

    public void send(int code) throws CanceledException {

        send(null, code, null, null, null);

        send(null, code, null, null, null, null);

    }



    /**
@@ -399,7 +399,7 @@ public final class PendingIntent implements Parcelable { 
     */

    public void send(Context context, int code, Intent intent)

            throws CanceledException {

        send(context, code, intent, null, null);

        send(context, code, intent, null, null, null);

    }



    /**
@@ -420,7 +420,7 @@ public final class PendingIntent implements Parcelable { 
     */

    public void send(int code, OnFinished onFinished, Handler handler)

            throws CanceledException {

        send(null, code, null, onFinished, handler);

        send(null, code, null, onFinished, handler, null);

    }



    /**
@@ -449,12 +449,55 @@ public final class PendingIntent implements Parcelable { 
     * @see #send(int)

     * @see #send(Context, int, Intent)

     * @see #send(int, android.app.PendingIntent.OnFinished, Handler)

     * @see #send(Context, int, Intent, OnFinished, Handler, String)

     *

     * @throws CanceledException Throws CanceledException if the PendingIntent

     * is no longer allowing more intents to be sent through it.

     */

    public void send(Context context, int code, Intent intent,

            OnFinished onFinished, Handler handler) throws CanceledException {

        send(context, code, intent, onFinished, handler, null);

    }



    /**

     * Perform the operation associated with this PendingIntent, allowing the

     * caller to specify information about the Intent to use and be notified

     * when the send has completed.

     *

     * <p>For the intent parameter, a PendingIntent

     * often has restrictions on which fields can be supplied here, based on

     * how the PendingIntent was retrieved in {@link #getActivity},

     * {@link #getBroadcast}, or {@link #getService}.

     *

     * @param context The Context of the caller.  This may be null if

     * <var>intent</var> is also null.

     * @param code Result code to supply back to the PendingIntent's target.

     * @param intent Additional Intent data.  See {@link Intent#fillIn

     * Intent.fillIn()} for information on how this is applied to the

     * original Intent.  Use null to not modify the original Intent.

     * @param onFinished The object to call back on when the send has

     * completed, or null for no callback.

     * @param handler Handler identifying the thread on which the callback

     * should happen.  If null, the callback will happen from the thread

     * pool of the process.

     * @param requiredPermission Name of permission that a recipient of the PendingIntent

     * is required to hold.  This is only valid for broadcast intents, and

     * corresponds to the permission argument in

     * {@link Context#sendBroadcast(Intent, String) Context.sendOrderedBroadcast(Intent, String)}.

     * If null, no permission is required.

     *

     * @see #send()

     * @see #send(int)

     * @see #send(Context, int, Intent)

     * @see #send(int, android.app.PendingIntent.OnFinished, Handler)

     * @see #send(Context, int, Intent, OnFinished, Handler)

     *

     * @throws CanceledException Throws CanceledException if the PendingIntent

     * is no longer allowing more intents to be sent through it.

     */

    public void send(Context context, int code, Intent intent,

            OnFinished onFinished, Handler handler, String requiredPermission)

            throws CanceledException {

        try {

            String resolvedType = intent != null ?

                    intent.resolveTypeIfNeeded(context.getContentResolver())
@@ -462,7 +505,8 @@ public final class PendingIntent implements Parcelable { 
            int res = mTarget.send(code, intent, resolvedType,

                    onFinished != null

                            ? new FinishedDispatcher(this, onFinished, handler)

                    : null);

                            : null,

                    requiredPermission);

            if (res < 0) {

                throw new CanceledException();

            }
@@ -490,6 +534,20 @@ public final class PendingIntent implements Parcelable { 
        }

    }



    /**

     * @hide

     * Check to verify that this PendingIntent targets a specific package.

     */

    public boolean isTargetedToPackage() {

        try {

            return ActivityManagerNative.getDefault()

                .isIntentSenderTargetedToPackage(mTarget);

        } catch (RemoteException e) {

            // Should never happen.

            return false;

        }

    }



    /**

     * Comparison operator on two PendingIntent objects, such that true

     * is returned then they both represent the same operation from the

core/java/android/content/Context.java

+12 −0
Original line number Diff line number Diff line
@@ -1029,6 +1029,12 @@ public abstract class Context { 
     *

     * <p>See {@link BroadcastReceiver} for more information on Intent broadcasts.

     *

     * <p>As of {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH}, receivers

     * registered with this method will correctly respect the

     * {@link Intent#setPackage(String)} specified for an Intent being broadcast.

     * Prior to that, it would be ignored and delivered to all matching registered

     * receivers.  Be careful if using this for security.</p>

     *

     * <p class="note">Note: this method <em>cannot be called from a

     * {@link BroadcastReceiver} component;</em> that is, from a BroadcastReceiver

     * that is declared in an application's manifest.  It is okay, however, to call
@@ -1059,6 +1065,12 @@ public abstract class Context { 
     *

     * <p>See {@link BroadcastReceiver} for more information on Intent broadcasts.

     *

     * <p>As of {@link android.os.Build.VERSION_CODES#ICE_CREAM_SANDWICH}, receivers

     * registered with this method will correctly respect the

     * {@link Intent#setPackage(String)} specified for an Intent being broadcast.

     * Prior to that, it would be ignored and delivered to all matching registered

     * receivers.  Be careful if using this for security.</p>

     *

     * @param receiver The BroadcastReceiver to handle the broadcast.

     * @param filter Selects the Intent broadcasts to be received.

     * @param broadcastPermission String naming a permissions that a