Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad1e5ce6 authored by Jeff Chang's avatar Jeff Chang Committed by mse1969
Browse files

Only allow system and same app to apply relinquishTaskIdentity 

Any malicious application could hijack tasks by
android:relinquishTaskIdentity. This vulnerability can perform UI
spoofing or spy on user’s activities.

This CL limit the usage which only allow system and same app to apply
relinquishTaskIdentity

Bug: 185810717
Test: atest IntentTests
      atest ActivityStarterTests
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
(cherry picked from commit cd1f9e72)
Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
parent 851704d4

services/core/java/com/android/server/am/TaskRecord.java

+39 −11
Original line number Diff line number Diff line
@@ -40,6 +40,7 @@ import android.graphics.Point; 
import android.graphics.Rect;

import android.os.Debug;

import android.os.ParcelFileDescriptor;

import android.os.Process;

import android.os.RemoteException;

import android.os.Trace;

import android.os.UserHandle;
@@ -190,6 +191,11 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta 
    // Do not move the stack as a part of reparenting

    public static final int REPARENT_LEAVE_STACK_IN_PLACE = 2;



    /**

     * Used to identify if the activity that is installed from device's system image.

     */

    boolean mIsEffectivelySystemApp;



    final int taskId;       // Unique identifier for this task.

    String affinity;        // The affinity name for this task, or null; may change identity.

    String rootAffinity;    // Initial base affinity, or null; does not change from initial root.
@@ -791,16 +797,24 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta 


    /** Sets the original intent, and the calling uid and package. */

    void setIntent(ActivityRecord r) {

        boolean updateIdentity = false;

        if (this.intent == null) {

            updateIdentity = true;

        } else if (!mNeverRelinquishIdentity) {

            updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp

                    || effectiveUid == r.info.applicationInfo.uid);

        }

        if (updateIdentity) {

            mCallingUid = r.launchedFromUid;

            mCallingPackage = r.launchedFromPackage;

            setIntent(r.intent, r.info);

        }

    }



    /** Sets the original intent, _without_ updating the calling uid or package. */

    private void setIntent(Intent _intent, ActivityInfo info) {

        if (intent == null) {

            mNeverRelinquishIdentity =

                    (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0;

            mNeverRelinquishIdentity = (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0;

        } else if (mNeverRelinquishIdentity) {

            return;

        }
@@ -813,6 +827,7 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta 
            rootAffinity = affinity;

        }

        effectiveUid = info.applicationInfo.uid;

        mIsEffectivelySystemApp = info.applicationInfo.isSystemApp();

        stringName = null;



        if (info.targetActivity == null) {
@@ -1648,12 +1663,12 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta 
        // utility activities.

        int activityNdx;

        final int numActivities = mActivities.size();

        final boolean relinquish = numActivities != 0 &&

                (mActivities.get(0).info.flags & FLAG_RELINQUISH_TASK_IDENTITY) != 0;

        for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities;

                ++activityNdx) {

        for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) {

            final ActivityRecord r = mActivities.get(activityNdx);

            if (relinquish && (r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) {

            if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0

                    || (r.info.applicationInfo.uid != Process.SYSTEM_UID

                    && !r.info.applicationInfo.isSystemApp()

                    && r.info.applicationInfo.uid != effectiveUid)) {

                // This will be the top activity for determining taskDescription. Pre-inc to

                // overcome initial decrement below.

                ++activityNdx;
@@ -1711,15 +1726,28 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta 
    int findEffectiveRootIndex() {

        int effectiveNdx = 0;

        final int topActivityNdx = mActivities.size() - 1;

        ActivityRecord root = null;

        for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) {

            final ActivityRecord r = mActivities.get(activityNdx);

            if (r.finishing) {

                continue;

            }

            effectiveNdx = activityNdx;

            if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) {



            if (root == null) {

                // Set this as the candidate root since it isn't finishing.

                root = r;

                effectiveNdx = activityNdx;

            }

            final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid;

            if ((root.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0

                || (root.info.applicationInfo.uid != Process.SYSTEM_UID

                    && !root.info.applicationInfo.isSystemApp()

                    && root.info.applicationInfo.uid != uid)) {

                break;

            }

            effectiveNdx = activityNdx;

            root = r;

        }

        return effectiveNdx;

    }