Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6de7a3a3 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Add calling package verification for ATM binder calls" into qt-r1-dev

parents d2b7ca5b fbc35b90

services/core/java/com/android/server/wm/ActivityStackSupervisor.java

+2 −1
Original line number Original line Diff line number Diff line
@@ -1202,7 +1202,8 @@ public class ActivityStackSupervisor implements RecentTasks.Callbacks { 
        final PackageInfo packageInfo;

        final PackageInfo packageInfo;

        try {

        try {

            packageInfo = mService.mContext.getPackageManager()

            packageInfo = mService.mContext.getPackageManager()

                    .getPackageInfo(callingPackage, PackageManager.GET_PERMISSIONS);

                    .getPackageInfoAsUser(callingPackage, PackageManager.GET_PERMISSIONS,

                            UserHandle.getUserId(callingUid));

        } catch (PackageManager.NameNotFoundException e) {

        } catch (PackageManager.NameNotFoundException e) {

            Slog.i(TAG, "Cannot find package info for " + callingPackage);

            Slog.i(TAG, "Cannot find package info for " + callingPackage);

            return ACTIVITY_RESTRICTION_NONE;

            return ACTIVITY_RESTRICTION_NONE;

services/core/java/com/android/server/wm/ActivityTaskManagerService.java

+28 −9
Original line number Original line Diff line number Diff line
@@ -1015,6 +1015,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    public final int startActivities(IApplicationThread caller, String callingPackage,

    public final int startActivities(IApplicationThread caller, String callingPackage,

            Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,

            Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,

            int userId) {

            int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        final String reason = "startActivities";

        final String reason = "startActivities";

        enforceNotIsolatedCaller(reason);

        enforceNotIsolatedCaller(reason);

        userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId, reason);

        userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId, reason);
@@ -1034,10 +1035,11 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
                true /*validateIncomingUser*/);

                true /*validateIncomingUser*/);

    }

    }





    int startActivityAsUser(IApplicationThread caller, String callingPackage,

    private int startActivityAsUser(IApplicationThread caller, String callingPackage,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, int userId,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, int userId,

            boolean validateIncomingUser) {

            boolean validateIncomingUser) {

        assertPackageMatchesCallingUid(callingPackage);

        enforceNotIsolatedCaller("startActivityAsUser");

        enforceNotIsolatedCaller("startActivityAsUser");





        userId = getActivityStartController().checkTargetUser(userId, validateIncomingUser,

        userId = getActivityStartController().checkTargetUser(userId, validateIncomingUser,
@@ -1210,6 +1212,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    public final WaitResult startActivityAndWait(IApplicationThread caller, String callingPackage,

    public final WaitResult startActivityAndWait(IApplicationThread caller, String callingPackage,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, int userId) {

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        final WaitResult res = new WaitResult();

        final WaitResult res = new WaitResult();

        synchronized (mGlobalLock) {

        synchronized (mGlobalLock) {

            enforceNotIsolatedCaller("startActivityAndWait");

            enforceNotIsolatedCaller("startActivityAndWait");
@@ -1237,6 +1240,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    public final int startActivityWithConfig(IApplicationThread caller, String callingPackage,

    public final int startActivityWithConfig(IApplicationThread caller, String callingPackage,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, Configuration config, Bundle bOptions, int userId) {

            int startFlags, Configuration config, Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        synchronized (mGlobalLock) {

        synchronized (mGlobalLock) {

            enforceNotIsolatedCaller("startActivityWithConfig");

            enforceNotIsolatedCaller("startActivityWithConfig");

            userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId,

            userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId,
@@ -1286,6 +1290,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, IBinder permissionToken,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, IBinder permissionToken,

            boolean ignoreTargetSecurity, int userId) {

            boolean ignoreTargetSecurity, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        // This is very dangerous -- it allows you to perform a start activity (including

        // This is very dangerous -- it allows you to perform a start activity (including

        // permission grants) as any app that may launch one of your own activities.  So we only

        // permission grants) as any app that may launch one of your own activities.  So we only

        // allow this in two cases:

        // allow this in two cases:
@@ -1415,6 +1420,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
            Intent intent, String resolvedType, IVoiceInteractionSession session,

            Intent intent, String resolvedType, IVoiceInteractionSession session,

            IVoiceInteractor interactor, int startFlags, ProfilerInfo profilerInfo,

            IVoiceInteractor interactor, int startFlags, ProfilerInfo profilerInfo,

            Bundle bOptions, int userId) {

            Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        mAmInternal.enforceCallingPermission(BIND_VOICE_INTERACTION, "startVoiceActivity()");

        mAmInternal.enforceCallingPermission(BIND_VOICE_INTERACTION, "startVoiceActivity()");

        if (session == null || interactor == null) {

        if (session == null || interactor == null) {

            throw new NullPointerException("null session or interactor");

            throw new NullPointerException("null session or interactor");
@@ -1438,6 +1444,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    @Override

    @Override

    public int startAssistantActivity(String callingPackage, int callingPid, int callingUid,

    public int startAssistantActivity(String callingPackage, int callingPid, int callingUid,

            Intent intent, String resolvedType, Bundle bOptions, int userId) {

            Intent intent, String resolvedType, Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        mAmInternal.enforceCallingPermission(BIND_VOICE_INTERACTION, "startAssistantActivity()");

        mAmInternal.enforceCallingPermission(BIND_VOICE_INTERACTION, "startAssistantActivity()");

        userId = handleIncomingUser(callingPid, callingUid, userId, "startAssistantActivity");

        userId = handleIncomingUser(callingPid, callingUid, userId, "startAssistantActivity");
@@ -2363,15 +2370,9 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    void moveTaskToFrontLocked(@Nullable IApplicationThread appThread,

    void moveTaskToFrontLocked(@Nullable IApplicationThread appThread,

            @Nullable String callingPackage, int taskId, int flags, SafeActivityOptions options,

            @Nullable String callingPackage, int taskId, int flags, SafeActivityOptions options,

            boolean fromRecents) {

            boolean fromRecents) {



        final int callingPid = Binder.getCallingPid();

        final int callingPid = Binder.getCallingPid();

        final int callingUid = Binder.getCallingUid();

        final int callingUid = Binder.getCallingUid();

        if (!isSameApp(callingUid, callingPackage)) {

        assertPackageMatchesCallingUid(callingPackage);

            String msg = "Permission Denial: moveTaskToFrontLocked() from pid="

                    + Binder.getCallingPid() + " as package " + callingPackage;

            Slog.w(TAG, msg);

            throw new SecurityException(msg);

        }

        if (!checkAppSwitchAllowedLocked(callingPid, callingUid, -1, -1, "Task to front")) {

        if (!checkAppSwitchAllowedLocked(callingPid, callingUid, -1, -1, "Task to front")) {

            SafeActivityOptions.abort(options);

            SafeActivityOptions.abort(options);

            return;

            return;
@@ -2423,7 +2424,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    /**

    /**

     * Return true if callingUid is system, or packageName belongs to that callingUid.

     * Return true if callingUid is system, or packageName belongs to that callingUid.

     */

     */

    boolean isSameApp(int callingUid, @Nullable String packageName) {

    private boolean isSameApp(int callingUid, @Nullable String packageName) {

        try {

        try {

            if (callingUid != 0 && callingUid != SYSTEM_UID) {

            if (callingUid != 0 && callingUid != SYSTEM_UID) {

                if (packageName == null) {

                if (packageName == null) {
@@ -2440,6 +2441,21 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
        return true;

        return true;

    }

    }





    /**

     * Checks that the provided package name matches the current calling UID, throws a security

     * exception if it doesn't.

     */

    void assertPackageMatchesCallingUid(@Nullable String packageName) {

        final int callingUid = Binder.getCallingUid();

        if (isSameApp(callingUid, packageName)) {

            return;

        }

        final String msg = "Permission Denial: package=" + packageName

                + " does not belong to uid=" + callingUid;

        Slog.w(TAG, msg);

        throw new SecurityException(msg);

    }



    boolean checkAppSwitchAllowedLocked(int sourcePid, int sourceUid,

    boolean checkAppSwitchAllowedLocked(int sourcePid, int sourceUid,

            int callingPid, int callingUid, String name) {

            int callingPid, int callingUid, String name) {

        if (mAppSwitchesAllowedTime < SystemClock.uptimeMillis()) {

        if (mAppSwitchesAllowedTime < SystemClock.uptimeMillis()) {
@@ -2973,6 +2989,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
    @Override

    @Override

    public List<IBinder> getAppTasks(String callingPackage) {

    public List<IBinder> getAppTasks(String callingPackage) {

        int callingUid = Binder.getCallingUid();

        int callingUid = Binder.getCallingUid();

        assertPackageMatchesCallingUid(callingPackage);

        long ident = Binder.clearCallingIdentity();

        long ident = Binder.clearCallingIdentity();

        try {

        try {

            synchronized (mGlobalLock) {

            synchronized (mGlobalLock) {
@@ -6193,6 +6210,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
                SafeActivityOptions options, int userId, boolean validateIncomingUser,

                SafeActivityOptions options, int userId, boolean validateIncomingUser,

                PendingIntentRecord originatingPendingIntent,

                PendingIntentRecord originatingPendingIntent,

                boolean allowBackgroundActivityStart) {

                boolean allowBackgroundActivityStart) {

            assertPackageMatchesCallingUid(callingPackage);

            synchronized (mGlobalLock) {

            synchronized (mGlobalLock) {

                return getActivityStartController().startActivitiesInPackage(uid, realCallingPid,

                return getActivityStartController().startActivitiesInPackage(uid, realCallingPid,

                        realCallingUid, callingPackage, intents, resolvedTypes, resultTo, options,

                        realCallingUid, callingPackage, intents, resolvedTypes, resultTo, options,
@@ -6208,6 +6226,7 @@ public class ActivityTaskManagerService extends IActivityTaskManager.Stub { 
                int userId, TaskRecord inTask, String reason, boolean validateIncomingUser,

                int userId, TaskRecord inTask, String reason, boolean validateIncomingUser,

                PendingIntentRecord originatingPendingIntent,

                PendingIntentRecord originatingPendingIntent,

                boolean allowBackgroundActivityStart) {

                boolean allowBackgroundActivityStart) {

            assertPackageMatchesCallingUid(callingPackage);

            synchronized (mGlobalLock) {

            synchronized (mGlobalLock) {

                return getActivityStartController().startActivityInPackage(uid, realCallingPid,

                return getActivityStartController().startActivityInPackage(uid, realCallingPid,

                        realCallingUid, callingPackage, intent, resolvedType, resultTo, resultWho,

                        realCallingUid, callingPackage, intent, resolvedType, resultTo, resultWho,

services/core/java/com/android/server/wm/AppTaskImpl.java

+2 −7
Original line number Original line Diff line number Diff line
@@ -27,7 +27,6 @@ import android.os.Binder; 
import android.os.Bundle;

import android.os.Bundle;

import android.os.IBinder;

import android.os.IBinder;

import android.os.UserHandle;

import android.os.UserHandle;

import android.util.Slog;





/**

/**

 * An implementation of IAppTask, that allows an app to manage its own tasks via

 * An implementation of IAppTask, that allows an app to manage its own tasks via
@@ -97,12 +96,7 @@ class AppTaskImpl extends IAppTask.Stub { 
        // Will bring task to front if it already has a root activity.

        // Will bring task to front if it already has a root activity.

        final int callingPid = Binder.getCallingPid();

        final int callingPid = Binder.getCallingPid();

        final int callingUid = Binder.getCallingUid();

        final int callingUid = Binder.getCallingUid();

        if (!mService.isSameApp(callingUid, callingPackage)) {

        mService.assertPackageMatchesCallingUid(callingPackage);

            String msg = "Permission Denial: moveToFront() from pid="

                    + Binder.getCallingPid() + " as package " + callingPackage;

            Slog.w(TAG, msg);

            throw new SecurityException(msg);

        }

        final long origId = Binder.clearCallingIdentity();

        final long origId = Binder.clearCallingIdentity();

        try {

        try {

            synchronized (mService.mGlobalLock) {

            synchronized (mService.mGlobalLock) {
@@ -134,6 +128,7 @@ class AppTaskImpl extends IAppTask.Stub { 
    public int startActivity(IBinder whoThread, String callingPackage,

    public int startActivity(IBinder whoThread, String callingPackage,

            Intent intent, String resolvedType, Bundle bOptions) {

            Intent intent, String resolvedType, Bundle bOptions) {

        checkCaller();

        checkCaller();

        mService.assertPackageMatchesCallingUid(callingPackage);





        int callingUser = UserHandle.getCallingUserId();

        int callingUser = UserHandle.getCallingUserId();

        TaskRecord tr;

        TaskRecord tr;