Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ae2aada9 authored by Felipe Leme's avatar Felipe Leme Committed by android-build-team Robot
Browse files

Make sure apps cannot forge package name on AssistStructure used for Autofill. 

Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases -t android.autofillservice.cts.VirtualContainerActivityTest#testAppCannotFakePackageName
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases

Bug: 69981710

Change-Id: Id6036cddb51dd8dd0c9128b7212d573f630d693f
Merged-In: Id6036cddb51dd8dd0c9128b7212d573f630d693f
(cherry picked from commit 23e61a90)
parent 65ff5247

core/java/android/app/assist/AssistStructure.java

+10 −0
Original line number Diff line number Diff line
@@ -2058,6 +2058,16 @@ public class AssistStructure implements Parcelable { 
        return mActivityComponent;

    }



    /**

     * Called by Autofill server when app forged a different value.

     *

     * @hide

     */

    public void setActivityComponent(ComponentName componentName) {

        ensureData();

        mActivityComponent = componentName;

    }



    /** @hide */

    public int getFlags() {

        return mFlags;

core/java/android/view/autofill/AutofillManager.java

+23 −3
Original line number Diff line number Diff line
@@ -24,6 +24,8 @@ import android.annotation.IntDef; 
import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.SystemService;

import android.app.Activity;

import android.content.ComponentName;

import android.content.Context;

import android.content.Intent;

import android.content.IntentSender;
@@ -44,6 +46,7 @@ import android.view.View; 
import com.android.internal.annotations.GuardedBy;

import com.android.internal.logging.MetricsLogger;

import com.android.internal.logging.nano.MetricsProto.MetricsEvent;

import com.android.internal.util.Preconditions;



import java.io.PrintWriter;

import java.lang.annotation.Retention;
@@ -390,7 +393,7 @@ public final class AutofillManager { 
     * @hide

     */

    public AutofillManager(Context context, IAutoFillManager service) {

        mContext = context;

        mContext = Preconditions.checkNotNull(context, "context cannot be null");

        mService = service;

    }
@@ -940,6 +943,13 @@ public final class AutofillManager { 
        return mContext.getAutofillClient();

    }



    private ComponentName getComponentNameFromContext() {

        if (mContext instanceof Activity) {

            return ((Activity) mContext).getComponentName();

        }

        return null;

    }



    /** @hide */

    public void onAuthenticationResult(int authenticationId, Intent data) {

        if (!hasAutofillFeature()) {
@@ -990,9 +1000,14 @@ public final class AutofillManager { 
            return;

        }

        try {

            final ComponentName componentName = getComponentNameFromContext();

            if (componentName == null) {

                Log.w(TAG, "startSessionLocked(): context is not activity: " + mContext);

                return;

            }

            mSessionId = mService.startSession(mContext.getActivityToken(),

                    mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),

                    mCallback != null, flags, mContext.getOpPackageName());

                    mCallback != null, flags, componentName);

            if (mSessionId != NO_SESSION) {

                mState = STATE_ACTIVE;

            }
@@ -1050,9 +1065,14 @@ public final class AutofillManager { 


        try {

            if (restartIfNecessary) {

                final ComponentName componentName = getComponentNameFromContext();

                if (componentName == null) {

                    Log.w(TAG, "startSessionLocked(): context is not activity: " + mContext);

                    return;

                }

                final int newId = mService.updateOrRestartSession(mContext.getActivityToken(),

                        mServiceClient.asBinder(), id, bounds, value, mContext.getUserId(),

                        mCallback != null, flags, mContext.getOpPackageName(), mSessionId, action);

                        mCallback != null, flags, componentName, mSessionId, action);

                if (newId != mSessionId) {

                    if (sDebug) Log.d(TAG, "Session restarted: " + mSessionId + "=>" + newId);

                    mSessionId = newId;

core/java/android/view/autofill/IAutoFillManager.aidl

+4 −2
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package android.view.autofill;



import android.content.ComponentName;

import android.graphics.Rect;

import android.os.Bundle;

import android.os.IBinder;
@@ -34,14 +35,15 @@ interface IAutoFillManager { 
    int addClient(in IAutoFillManagerClient client, int userId);

    int startSession(IBinder activityToken, in IBinder appCallback, in AutofillId autoFillId,

            in Rect bounds, in AutofillValue value, int userId, boolean hasCallback, int flags,

            String packageName);

            in ComponentName componentName);

    FillEventHistory getFillEventHistory();

    boolean restoreSession(int sessionId, in IBinder activityToken, in IBinder appCallback);

    void updateSession(int sessionId, in AutofillId id, in Rect bounds,

            in AutofillValue value, int action, int flags, int userId);

    int updateOrRestartSession(IBinder activityToken, in IBinder appCallback,

            in AutofillId autoFillId, in Rect bounds, in AutofillValue value, int userId,

            boolean hasCallback, int flags, String packageName, int sessionId, int action);

            boolean hasCallback, int flags, in ComponentName componentName, int sessionId,

            int action);

    void finishSession(int sessionId, int userId);

    void cancelSession(int sessionId, int userId);

    void setAuthenticationResult(in Bundle data, int sessionId, int authenticationId, int userId);

proto/src/metrics_constants.proto

+13 −0
Original line number Diff line number Diff line
@@ -4006,6 +4006,19 @@ message MetricsEvent { 
    // OS: O

    FIELD_NOTIFICATION_GROUP_SUMMARY = 947;



    // An app attempted to forge a different component name in the AssisStructure that would be

    // passed to the autofill service.

    // OS: O (security patch)

    // Package: Real package of the app being autofilled

    // Tag FIELD_AUTOFILL_SERVICE: Package of the autofill service that processed the request

    // TAG FIELD_AUTOFILL_FORGED_COMPONENT_NAME: Component name being forged

    AUTOFILL_FORGED_COMPONENT_ATTEMPT = 948;



    // FIELD - The component that an app tried tro forged.

    // Type: string

    // OS: O (security patch)

    FIELD_AUTOFILL_FORGED_COMPONENT_NAME = 949;



    // ---- End O Constants, all O constants go above this line ----



    // OPEN: Settings > System > Languages & input > Advanced > Lift to open camera

services/autofill/java/com/android/server/autofill/AutofillManagerService.java

+8 −6
Original line number Diff line number Diff line
@@ -533,25 +533,26 @@ public final class AutofillManagerService extends SystemService { 
        @Override

        public int startSession(IBinder activityToken, IBinder appCallback, AutofillId autofillId,

                Rect bounds, AutofillValue value, int userId, boolean hasCallback, int flags,

                String packageName) {

                ComponentName componentName) {



            activityToken = Preconditions.checkNotNull(activityToken, "activityToken");

            appCallback = Preconditions.checkNotNull(appCallback, "appCallback");

            autofillId = Preconditions.checkNotNull(autofillId, "autoFillId");

            packageName = Preconditions.checkNotNull(packageName, "packageName");

            componentName = Preconditions.checkNotNull(componentName, "componentName");

            final String packageName = Preconditions.checkNotNull(componentName.getPackageName());



            Preconditions.checkArgument(userId == UserHandle.getUserId(getCallingUid()), "userId");



            try {

                mContext.getPackageManager().getPackageInfoAsUser(packageName, 0, userId);

            } catch (PackageManager.NameNotFoundException e) {

                throw new IllegalArgumentException(packageName + " is not a valid package", e);

                throw new IllegalArgumentException(componentName + " is not a valid package", e);

            }



            synchronized (mLock) {

                final AutofillManagerServiceImpl service = getServiceForUserLocked(userId);

                return service.startSessionLocked(activityToken, getCallingUid(), appCallback,

                        autofillId, bounds, value, hasCallback, flags, packageName);

                        autofillId, bounds, value, hasCallback, flags, componentName);

            }

        }
@@ -603,7 +604,8 @@ public final class AutofillManagerService extends SystemService { 
        @Override

        public int updateOrRestartSession(IBinder activityToken, IBinder appCallback,

                AutofillId autoFillId, Rect bounds, AutofillValue value, int userId,

                boolean hasCallback, int flags, String packageName, int sessionId, int action) {

                boolean hasCallback, int flags, ComponentName componentName, int sessionId,

                int action) {

            boolean restart = false;

            synchronized (mLock) {

                final AutofillManagerServiceImpl service = peekServiceForUserLocked(userId);
@@ -614,7 +616,7 @@ public final class AutofillManagerService extends SystemService { 
            }

            if (restart) {

                return startSession(activityToken, appCallback, autoFillId, bounds, value, userId,

                        hasCallback, flags, packageName);

                        hasCallback, flags, componentName);

            }



            // Nothing changed...