Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a319aea9 authored by Felipe Leme's avatar Felipe Leme Committed by JP Sugarbroad
Browse files

Make sure apps cannot forge package name on AssistStructure used for Autofill. 

Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases -t android.autofillservice.cts.VirtualContainerActivityTest#testAppCannotFakePackageName
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases

Bug: 69981710

Change-Id: Id6036cddb51dd8dd0c9128b7212d573f630d693f
Merged-In: Id6036cddb51dd8dd0c9128b7212d573f630d693f
(cherry picked from commit 23e61a90)
parent 37ff8b5f

core/java/android/app/assist/AssistStructure.java

+10 −0
Original line number Diff line number Diff line
@@ -2058,6 +2058,16 @@ public class AssistStructure implements Parcelable { 
        return mActivityComponent;

    }



    /**

     * Called by Autofill server when app forged a different value.

     *

     * @hide

     */

    public void setActivityComponent(ComponentName componentName) {

        ensureData();

        mActivityComponent = componentName;

    }



    /** @hide */

    public int getFlags() {

        return mFlags;

core/java/android/view/autofill/AutofillManager.java

+23 −3
Original line number Diff line number Diff line
@@ -24,6 +24,8 @@ import android.annotation.IntDef; 
import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.SystemService;

import android.app.Activity;

import android.content.ComponentName;

import android.content.Context;

import android.content.Intent;

import android.content.IntentSender;
@@ -44,6 +46,7 @@ import android.view.View; 
import com.android.internal.annotations.GuardedBy;

import com.android.internal.logging.MetricsLogger;

import com.android.internal.logging.nano.MetricsProto.MetricsEvent;

import com.android.internal.util.Preconditions;



import java.io.PrintWriter;

import java.lang.annotation.Retention;
@@ -390,7 +393,7 @@ public final class AutofillManager { 
     * @hide

     */

    public AutofillManager(Context context, IAutoFillManager service) {

        mContext = context;

        mContext = Preconditions.checkNotNull(context, "context cannot be null");

        mService = service;

    }
@@ -940,6 +943,13 @@ public final class AutofillManager { 
        return mContext.getAutofillClient();

    }



    private ComponentName getComponentNameFromContext() {

        if (mContext instanceof Activity) {

            return ((Activity) mContext).getComponentName();

        }

        return null;

    }



    /** @hide */

    public void onAuthenticationResult(int authenticationId, Intent data) {

        if (!hasAutofillFeature()) {
@@ -990,9 +1000,14 @@ public final class AutofillManager { 
            return;

        }

        try {

            final ComponentName componentName = getComponentNameFromContext();

            if (componentName == null) {

                Log.w(TAG, "startSessionLocked(): context is not activity: " + mContext);

                return;

            }

            mSessionId = mService.startSession(mContext.getActivityToken(),

                    mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),

                    mCallback != null, flags, mContext.getOpPackageName());

                    mCallback != null, flags, componentName);

            if (mSessionId != NO_SESSION) {

                mState = STATE_ACTIVE;

            }
@@ -1050,9 +1065,14 @@ public final class AutofillManager { 


        try {

            if (restartIfNecessary) {

                final ComponentName componentName = getComponentNameFromContext();

                if (componentName == null) {

                    Log.w(TAG, "startSessionLocked(): context is not activity: " + mContext);

                    return;

                }

                final int newId = mService.updateOrRestartSession(mContext.getActivityToken(),

                        mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),

                        mCallback != null, flags, mContext.getOpPackageName(), mSessionId, action);

                        mCallback != null, flags, componentName, mSessionId, action);

                if (newId != mSessionId) {

                    if (sDebug) Log.d(TAG, "Session restarted: " + mSessionId + "=>" + newId);

                    mSessionId = newId;

core/java/android/view/autofill/IAutoFillManager.aidl

+4 −2
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package android.view.autofill;



import android.content.ComponentName;

import android.graphics.Rect;

import android.os.Bundle;

import android.os.IBinder;
@@ -34,14 +35,15 @@ interface IAutoFillManager { 
    int addClient(in IAutoFillManagerClient client, int userId);

    int startSession(IBinder activityToken, in IBinder appCallback, in AutofillId autoFillId,

            in Rect bounds, in AutofillValue value, int userId, boolean hasCallback, int flags,

            String packageName);

            in ComponentName componentName);

    FillEventHistory getFillEventHistory();

    boolean restoreSession(int sessionId, in IBinder activityToken, in IBinder appCallback);

    void updateSession(int sessionId, in AutofillId id, in Rect bounds,

            in AutofillValue value, int action, int flags, int userId);

    int updateOrRestartSession(IBinder activityToken, in IBinder appCallback,

            in AutofillId autoFillId, in Rect bounds, in AutofillValue value, int userId,

            boolean hasCallback, int flags, String packageName, int sessionId, int action);

            boolean hasCallback, int flags, in ComponentName componentName, int sessionId,

            int action);

    void finishSession(int sessionId, int userId);

    void cancelSession(int sessionId, int userId);

    void setAuthenticationResult(in Bundle data, int sessionId, int authenticationId, int userId);

proto/src/metrics_constants.proto

+13 −0
Original line number Diff line number Diff line
@@ -4006,6 +4006,19 @@ message MetricsEvent { 
    // OS: O

    FIELD_NOTIFICATION_GROUP_SUMMARY = 947;



    // An app attempted to forge a different component name in the AssisStructure that would be

    // passed to the autofill service.

    // OS: O (security patch)

    // Package: Real package of the app being autofilled

    // Tag FIELD_AUTOFILL_SERVICE: Package of the autofill service that processed the request

    // TAG FIELD_AUTOFILL_FORGED_COMPONENT_NAME: Component name being forged

    AUTOFILL_FORGED_COMPONENT_ATTEMPT = 948;



    // FIELD - The component that an app tried tro forged.

    // Type: string

    // OS: O (security patch)

    FIELD_AUTOFILL_FORGED_COMPONENT_NAME = 949;



    // ---- End O Constants, all O constants go above this line ----



    // OPEN: Settings > System > Languages & input > Advanced > Lift to open camera

services/autofill/java/com/android/server/autofill/AutofillManagerService.java

+8 −6
Original line number Diff line number Diff line
@@ -533,25 +533,26 @@ public final class AutofillManagerService extends SystemService { 
        @Override

        public int startSession(IBinder activityToken, IBinder appCallback, AutofillId autofillId,

                Rect bounds, AutofillValue value, int userId, boolean hasCallback, int flags,

                String packageName) {

                ComponentName componentName) {



            activityToken = Preconditions.checkNotNull(activityToken, "activityToken");

            appCallback = Preconditions.checkNotNull(appCallback, "appCallback");

            autofillId = Preconditions.checkNotNull(autofillId, "autoFillId");

            packageName = Preconditions.checkNotNull(packageName, "packageName");

            componentName = Preconditions.checkNotNull(componentName, "componentName");

            final String packageName = Preconditions.checkNotNull(componentName.getPackageName());



            Preconditions.checkArgument(userId == UserHandle.getUserId(getCallingUid()), "userId");



            try {

                mContext.getPackageManager().getPackageInfoAsUser(packageName, 0, userId);

            } catch (PackageManager.NameNotFoundException e) {

                throw new IllegalArgumentException(packageName + " is not a valid package", e);

                throw new IllegalArgumentException(componentName + " is not a valid package", e);

            }



            synchronized (mLock) {

                final AutofillManagerServiceImpl service = getServiceForUserLocked(userId);

                return service.startSessionLocked(activityToken, getCallingUid(), appCallback,

                        autofillId, bounds, value, hasCallback, flags, packageName);

                        autofillId, bounds, value, hasCallback, flags, componentName);

            }

        }
@@ -603,7 +604,8 @@ public final class AutofillManagerService extends SystemService { 
        @Override

        public int updateOrRestartSession(IBinder activityToken, IBinder appCallback,

                AutofillId autoFillId, Rect bounds, AutofillValue value, int userId,

                boolean hasCallback, int flags, String packageName, int sessionId, int action) {

                boolean hasCallback, int flags, ComponentName componentName, int sessionId,

                int action) {

            boolean restart = false;

            synchronized (mLock) {

                final AutofillManagerServiceImpl service = peekServiceForUserLocked(userId);
@@ -614,7 +616,7 @@ public final class AutofillManagerService extends SystemService { 
            }

            if (restart) {

                return startSession(activityToken, appCallback, autoFillId, bounds, value, userId,

                        hasCallback, flags, packageName);

                        hasCallback, flags, componentName);

            }



            // Nothing changed...