Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a79b6ba5 authored by Christopher Tate's avatar Christopher Tate
Browse files

DO NOT MERGE - Kill apps outright for API contract violations 

...rather than relying on in-app code to perform the shutdown.

Backport of security fix.

Bug: 128649910
Bug: 140108616
Test: manual
Test: atest OsHostTests#testForegroundServiceBadNotification
Change-Id: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
Merged-In: I94d9de50bb03c33666471e3dbd9c721e9278f7cb
parent 835e3a52

core/java/android/app/IActivityManager.aidl

+2 −1
Original line number Diff line number Diff line
@@ -278,7 +278,8 @@ interface IActivityManager { 
    boolean isImmersive(in IBinder token);

    void setImmersive(in IBinder token, boolean immersive);

    boolean isTopActivityImmersive();

    void crashApplication(int uid, int initialPid, in String packageName, int userId, in String message);

    void crashApplication(int uid, int initialPid, in String packageName, int userId,

            in String message, boolean force);

    String getProviderMimeType(in Uri uri, int userId);

    IBinder newUriPermissionOwner(in String name);

    void grantUriPermissionFromOwner(in IBinder owner, int fromUid, in String targetPkg,

services/core/java/com/android/server/am/ActiveServices.java

+10 −1
Original line number Diff line number Diff line
@@ -787,6 +787,15 @@ public final class ActiveServices { 
        }

    }



    void killMisbehavingService(ServiceRecord r,

            int appUid, int appPid, String localPackageName) {

        synchronized (mAm) {

            stopServiceLocked(r);

            mAm.crashApplication(appUid, appPid, localPackageName, -1,

                    "Bad notification for startForeground", true /*force*/);

        }

    }



    IBinder peekServiceLocked(Intent service, String resolvedType, String callingPackage) {

        ServiceLookupResult r = retrieveServiceLocked(service, resolvedType, callingPackage,

                Binder.getCallingPid(), Binder.getCallingUid(),
@@ -3655,7 +3664,7 @@ public final class ActiveServices { 
    void serviceForegroundCrash(ProcessRecord app, CharSequence serviceRecord) {

        mAm.crashApplication(app.uid, app.pid, app.info.packageName, app.userId,

                "Context.startForegroundService() did not then call Service.startForeground(): "

                    + serviceRecord);

                    + serviceRecord, false /*force*/);

    }



    void scheduleServiceTimeoutLocked(ProcessRecord proc) {

services/core/java/com/android/server/am/ActivityManagerService.java

+3 −2
Original line number Diff line number Diff line
@@ -5773,7 +5773,7 @@ public class ActivityManagerService extends IActivityManager.Stub 














    @Override















    public void crashApplication(int uid, int initialPid, String packageName, int userId,













            String message) {













            String message, boolean force) {















        if (checkCallingPermission(android.Manifest.permission.FORCE_STOP_PACKAGES)















                != PackageManager.PERMISSION_GRANTED) {















            String msg = "Permission Denial: crashApplication() from pid="









@@ -5785,7 +5785,8 @@ public class ActivityManagerService extends IActivityManager.Stub













        }





























        synchronized(this) {













            mAppErrors.scheduleAppCrashLocked(uid, initialPid, packageName, userId, message);













            mAppErrors.scheduleAppCrashLocked(uid, initialPid, packageName, userId,













                    message, force);















        }















    }







































services/core/java/com/android/server/am/ActivityManagerShellCommand.java



+1
−1




























Original line number
Diff line number
Diff line








@@ -987,7 +987,7 @@ final class ActivityManagerShellCommand extends ShellCommand {













        } catch (NumberFormatException e) {















            packageName = arg;















        }













        mInterface.crashApplication(-1, pid, packageName, userId, "shell-induced crash");













        mInterface.crashApplication(-1, pid, packageName, userId, "shell-induced crash", false);















        return 0;















    }

















































services/core/java/com/android/server/am/AppErrors.java



+19
−7




























Original line number
Diff line number
Diff line








@@ -314,20 +314,24 @@ class AppErrors {













    }































    void killAppAtUserRequestLocked(ProcessRecord app, Dialog fromDialog) {













        app.crashing = false;













        app.crashingReport = null;













        app.notResponding = false;













        app.notRespondingReport = null;















        if (app.anrDialog == fromDialog) {















            app.anrDialog = null;















        }















        if (app.waitDialog == fromDialog) {















            app.waitDialog = null;















        }













        killAppImmediateLocked(app, "user-terminated", "user request after error");













    }



























    private void killAppImmediateLocked(ProcessRecord app, String reason, String killReason) {













        app.crashing = false;













        app.crashingReport = null;













        app.notResponding = false;













        app.notRespondingReport = null;















        if (app.pid > 0 && app.pid != MY_PID) {













            handleAppCrashLocked(app, "user-terminated" /*reason*/,













            handleAppCrashLocked(app, reason,















                    null /*shortMsg*/, null /*longMsg*/, null /*stackTrace*/, null /*data*/);













            app.kill("user request after error", true);













            app.kill(killReason, true);















        }















    }

























@@ -341,7 +345,7 @@ class AppErrors {













     * @param message















     */















    void scheduleAppCrashLocked(int uid, int initialPid, String packageName, int userId,













            String message) {













            String message, boolean force) {















        ProcessRecord proc = null;































        // Figure out which process to kill.  We don't trust that initialPid










@@ -374,6 +378,14 @@ class AppErrors {













        }































        proc.scheduleCrash(message);













        if (force) {













            // If the app is responsive, the scheduled crash will happen as expected













            // and then the delayed summary kill will be a no-op.













            final ProcessRecord p = proc;













            mService.mHandler.postDelayed(













                    () -> killAppImmediateLocked(p, "forced", "killed for invalid state"),













                    5000L);













        }















    }































    /**