Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d21447cc authored by Andrii Kulian's avatar Andrii Kulian
Browse files

Add Cross-UID ActivityEmbedding trust model APIs 

By default activity embedding should be restricted, and apps have to
opt in explicitly to allow other hosts to embed them. An app can
declare a list of known trusted embedding host certificates in
AndroidManifest for individual activities or entire application.
Alternatively, an app can allow embedding by all hosts in untrusted
mode. In this case interactions and operations that the client host
can perform on the embedded container will be limited to prevent
tapjacking and overlay attacks.

Bug: 197364677
Test: ActivityEmbeddingCrossUidTests
Change-Id: I78c303237fdc77bdf55bd74580ac0b19c8de622b
parent 8cb4fa9e

core/api/current.txt

+5 −0
Original line number Diff line number Diff line
@@ -341,6 +341,7 @@ package android { 
    field public static final int allowSingleTap = 16843353; // 0x1010259

    field public static final int allowTaskReparenting = 16843268; // 0x1010204

    field public static final int allowUndo = 16843999; // 0x10104df

    field public static final int allowUntrustedActivityEmbedding;

    field public static final int alpha = 16843551; // 0x101031f

    field public static final int alphabeticModifiers = 16844110; // 0x101054e

    field public static final int alphabeticShortcut = 16843235; // 0x10101e3
@@ -905,6 +906,7 @@ package android { 
    field public static final int keyboardNavigationCluster = 16844096; // 0x1010540

    field public static final int keycode = 16842949; // 0x10100c5

    field public static final int killAfterRestore = 16843420; // 0x101029c

    field public static final int knownActivityEmbeddingCerts;

    field public static final int knownCerts = 16844330; // 0x101062a

    field public static final int lStar = 16844359; // 0x1010647

    field public static final int label = 16842753; // 0x1010001
@@ -10966,6 +10968,7 @@ package android.content.pm { 
    ctor public ActivityInfo(android.content.pm.ActivityInfo);

    method public int describeContents();

    method public void dump(android.util.Printer, String);

    method @NonNull public java.util.Set<java.lang.String> getKnownActivityEmbeddingCerts();

    method public final int getThemeResource();

    field public static final int COLOR_MODE_DEFAULT = 0; // 0x0

    field public static final int COLOR_MODE_HDR = 2; // 0x2
@@ -10993,6 +10996,7 @@ package android.content.pm { 
    field public static final int DOCUMENT_LAUNCH_NEVER = 3; // 0x3

    field public static final int DOCUMENT_LAUNCH_NONE = 0; // 0x0

    field public static final int FLAG_ALLOW_TASK_REPARENTING = 64; // 0x40

    field public static final int FLAG_ALLOW_UNTRUSTED_ACTIVITY_EMBEDDING = 268435456; // 0x10000000

    field public static final int FLAG_ALWAYS_RETAIN_TASK_STATE = 8; // 0x8

    field public static final int FLAG_AUTO_REMOVE_FROM_RECENTS = 8192; // 0x2000

    field public static final int FLAG_CLEAR_TASK_ON_LAUNCH = 4; // 0x4
@@ -11082,6 +11086,7 @@ package android.content.pm { 
    method public void dump(android.util.Printer, String);

    method public static CharSequence getCategoryTitle(android.content.Context, int);

    method public int getGwpAsanMode();

    method @NonNull public java.util.Set<java.lang.String> getKnownActivityEmbeddingCerts();

    method public int getMemtagMode();

    method public int getNativeHeapZeroInitialized();

    method public int getRequestRawExternalStorageAccess();

core/java/android/content/pm/ActivityInfo.java

+61 −1
Original line number Diff line number Diff line
@@ -18,6 +18,8 @@ package android.content.pm; 


import android.annotation.FloatRange;

import android.annotation.IntDef;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.annotation.TestApi;

import android.app.Activity;

import android.app.compat.CompatChanges;
@@ -35,10 +37,16 @@ import android.os.Build; 
import android.os.Parcel;

import android.os.Parcelable;

import android.os.UserHandle;

import android.util.ArraySet;

import android.util.Printer;



import com.android.internal.util.Parcelling;



import java.lang.annotation.Retention;

import java.lang.annotation.RetentionPolicy;

import java.util.Collections;

import java.util.Locale;

import java.util.Set;



/**

 * Information you can retrieve about a particular application
@@ -48,6 +56,9 @@ import java.lang.annotation.RetentionPolicy; 
 */

public class ActivityInfo extends ComponentInfo implements Parcelable {



    private static final Parcelling.BuiltIn.ForStringSet sForStringSet =

            Parcelling.Cache.getOrCreate(Parcelling.BuiltIn.ForStringSet.class);



     // NOTE: When adding new data members be sure to update the copy-constructor, Parcel

     // constructor, and writeToParcel.
@@ -524,6 +535,13 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
     */

    public static final int FLAG_PREFER_MINIMAL_POST_PROCESSING = 0x2000000;



    /**

     * Bit in {@link #flags}: If set, indicates that the activity can be embedded by untrusted

     * hosts. In this case the interactions with and visibility of the embedded activity may be

     * limited. Set from the {@link android.R.attr#allowUntrustedActivityEmbedding} attribute.

     */

    public static final int FLAG_ALLOW_UNTRUSTED_ACTIVITY_EMBEDDING = 0x10000000;



    /**

     * @hide Bit in {@link #flags}: If set, this component will only be seen

     * by the system user.  Only works with broadcast receivers.  Set from the
@@ -561,7 +579,8 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
     * {@link #FLAG_STATE_NOT_NEEDED}, {@link #FLAG_EXCLUDE_FROM_RECENTS},

     * {@link #FLAG_ALLOW_TASK_REPARENTING}, {@link #FLAG_NO_HISTORY},

     * {@link #FLAG_FINISH_ON_CLOSE_SYSTEM_DIALOGS},

     * {@link #FLAG_HARDWARE_ACCELERATED}, {@link #FLAG_SINGLE_USER}.

     * {@link #FLAG_HARDWARE_ACCELERATED}, {@link #FLAG_SINGLE_USER},

     * {@link #FLAG_ALLOW_UNTRUSTED_ACTIVITY_EMBEDDING}.

     */

    public int flags;
@@ -1079,6 +1098,13 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
    @EnabledSince(targetSdkVersion = Build.VERSION_CODES.S)

    private static final long CHECK_MIN_WIDTH_HEIGHT_FOR_MULTI_WINDOW = 197654537L;



    /**

     * Optional set of a certificates identifying apps that are allowed to embed this activity. From

     * the "knownActivityEmbeddingCerts" attribute.

     */

    @Nullable

    private Set<String> mKnownActivityEmbeddingCerts;



    /**

     * Convert Java change bits to native.

     *
@@ -1227,6 +1253,7 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
        launchMode = orig.launchMode;

        documentLaunchMode = orig.documentLaunchMode;

        permission = orig.permission;

        mKnownActivityEmbeddingCerts = orig.mKnownActivityEmbeddingCerts;

        taskAffinity = orig.taskAffinity;

        targetActivity = orig.targetActivity;

        flags = orig.flags;
@@ -1442,6 +1469,31 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
        return mMinAspectRatio;

    }



    /**

     * Gets the trusted host certificate digests of apps that are allowed to embed this activity.

     * The digests are computed using the SHA-256 digest algorithm.

     * @see android.R.attr#knownActivityEmbeddingCerts

     */

    @NonNull

    public Set<String> getKnownActivityEmbeddingCerts() {

        return mKnownActivityEmbeddingCerts == null ? Collections.emptySet()

                : mKnownActivityEmbeddingCerts;

    }



    /**

     * Sets the trusted host certificates of apps that are allowed to embed this activity.

     * @see #getKnownActivityEmbeddingCerts()

     * @hide

     */

    public void setKnownActivityEmbeddingCerts(@NonNull Set<String> knownActivityEmbeddingCerts) {

        // Convert the provided digest to upper case for consistent Set membership

        // checks when verifying the signing certificate digests of requesting apps.

        mKnownActivityEmbeddingCerts = new ArraySet<>();

        for (String knownCert : knownActivityEmbeddingCerts) {

            mKnownActivityEmbeddingCerts.add(knownCert.toUpperCase(Locale.US));

        }

    }



    private boolean isChangeEnabled(long changeId) {

        return CompatChanges.isChangeEnabled(changeId, applicationInfo.packageName,

                UserHandle.getUserHandleForUid(applicationInfo.uid));
@@ -1573,6 +1625,9 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
        if (supportsSizeChanges) {

            pw.println(prefix + "supportsSizeChanges=true");

        }

        if (mKnownActivityEmbeddingCerts != null) {

            pw.println(prefix + "knownActivityEmbeddingCerts=" + mKnownActivityEmbeddingCerts);

        }

        super.dumpBack(pw, prefix, dumpFlags);

    }
@@ -1618,6 +1673,7 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
        dest.writeFloat(mMaxAspectRatio);

        dest.writeFloat(mMinAspectRatio);

        dest.writeBoolean(supportsSizeChanges);

        sForStringSet.parcel(mKnownActivityEmbeddingCerts, dest, flags);

    }



    /**
@@ -1739,6 +1795,10 @@ public class ActivityInfo extends ComponentInfo implements Parcelable { 
        mMaxAspectRatio = source.readFloat();

        mMinAspectRatio = source.readFloat();

        supportsSizeChanges = source.readBoolean();

        mKnownActivityEmbeddingCerts = sForStringSet.unparcel(source);

        if (mKnownActivityEmbeddingCerts.isEmpty()) {

            mKnownActivityEmbeddingCerts = null;

        }

    }



    /**

core/java/android/content/pm/ApplicationInfo.java

+51 −1
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ import android.os.Parcelable; 
import android.os.UserHandle;

import android.os.storage.StorageManager;

import android.util.ArrayMap;

import android.util.ArraySet;

import android.util.Printer;

import android.util.SparseArray;

import android.util.proto.ProtoOutputStream;
@@ -52,7 +53,9 @@ import java.util.Arrays; 
import java.util.Collections;

import java.util.Comparator;

import java.util.List;

import java.util.Locale;

import java.util.Objects;

import java.util.Set;

import java.util.UUID;



/**
@@ -62,6 +65,8 @@ import java.util.UUID; 
 */

public class ApplicationInfo extends PackageItemInfo implements Parcelable {

    private static ForBoolean sForBoolean = Parcelling.Cache.getOrCreate(ForBoolean.class);

    private static final Parcelling.BuiltIn.ForStringSet sForStringSet =

            Parcelling.Cache.getOrCreate(Parcelling.BuiltIn.ForStringSet.class);



    /**

     * Default task affinity of all activities in this application. See
@@ -1550,6 +1555,13 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
     */

    private int localeConfigRes;



    /**

     * Optional set of a certificates identifying apps that are allowed to embed activities of this

     * application. From the "knownActivityEmbeddingCerts" attribute.

     */

    @Nullable

    private Set<String> mKnownActivityEmbeddingCerts;



    public void dump(Printer pw, String prefix) {

        dump(pw, prefix, DUMP_FLAG_ALL);

    }
@@ -1673,6 +1685,9 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
            }

        }

        pw.println(prefix + "createTimestamp=" + createTimestamp);

        if (mKnownActivityEmbeddingCerts != null) {

            pw.println(prefix + "knownActivityEmbeddingCerts=" + mKnownActivityEmbeddingCerts);

        }

        super.dumpBack(pw, prefix);

    }
@@ -1787,6 +1802,11 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
            }

            proto.end(detailToken);

        }

        if (!ArrayUtils.isEmpty(mKnownActivityEmbeddingCerts)) {

            for (String knownCert : mKnownActivityEmbeddingCerts) {

                proto.write(ApplicationInfoProto.KNOWN_ACTIVITY_EMBEDDING_CERTS, knownCert);

            }

        }

        proto.end(token);

    }
@@ -1837,6 +1857,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
        super(orig);

        taskAffinity = orig.taskAffinity;

        permission = orig.permission;

        mKnownActivityEmbeddingCerts = orig.mKnownActivityEmbeddingCerts;

        processName = orig.processName;

        className = orig.className;

        theme = orig.theme;
@@ -2006,6 +2027,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
            }

        }

        dest.writeInt(localeConfigRes);

        sForStringSet.parcel(mKnownActivityEmbeddingCerts, dest, flags);

    }



    public static final @android.annotation.NonNull Parcelable.Creator<ApplicationInfo> CREATOR
@@ -2102,6 +2124,10 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
            }

        }

        localeConfigRes = source.readInt();

        mKnownActivityEmbeddingCerts = sForStringSet.unparcel(source);

        if (mKnownActivityEmbeddingCerts.isEmpty()) {

            mKnownActivityEmbeddingCerts = null;

        }

    }



    /**
@@ -2658,7 +2684,6 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
        return localeConfigRes;

    }





    /**

     *  List of all shared libraries this application is linked against. This

     *  list will only be set if the {@link PackageManager#GET_SHARED_LIBRARY_FILES
@@ -2675,4 +2700,29 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { 
        return sharedLibraryInfos;

    }



    /**

     * Gets the trusted host certificate digests of apps that are allowed to embed activities of

     * this application. The digests are computed using the SHA-256 digest algorithm.

     * @see android.R.attr#knownActivityEmbeddingCerts

     */

    @NonNull

    public Set<String> getKnownActivityEmbeddingCerts() {

        return mKnownActivityEmbeddingCerts == null ? Collections.emptySet()

                : mKnownActivityEmbeddingCerts;

    }



    /**

     * Sets the trusted host certificates of apps that are allowed to embed activities of this

     * application.

     * @see #getKnownActivityEmbeddingCerts()

     * @hide

     */

    public void setKnownActivityEmbeddingCerts(@NonNull Set<String> knownActivityEmbeddingCerts) {

        // Convert the provided digest to upper case for consistent Set membership

        // checks when verifying the signing certificate digests of requesting apps.

        mKnownActivityEmbeddingCerts = new ArraySet<>();

        for (String knownCert : knownActivityEmbeddingCerts) {

            mKnownActivityEmbeddingCerts.add(knownCert.toUpperCase(Locale.US));

        }

    }

}

core/proto/android/content/package_item_info.proto

+1 −0
Original line number Diff line number Diff line
@@ -115,4 +115,5 @@ message ApplicationInfoProto { 
    }

    optional Detail detail = 17;

    repeated string overlay_paths = 18;

    repeated string known_activity_embedding_certs = 19;

}

core/res/res/values/attrs_manifest.xml

+23 −0
Original line number Diff line number Diff line
@@ -1048,6 +1048,24 @@ 
         <p>The default value of this attribute is <code>false</code>. -->

    <attr name="allowEmbedded" format="boolean" />



    <!-- A reference to an array resource containing the signing certificate digests, one of which a

         client is required to be signed with in order to embed the activity. If the client is not

         signed with one of the certificates in the set, and the activity does not allow embedding

         by untrusted hosts via {@link android.R.attr#allowUntrustedActivityEmbedding} flag, the

         embedding request will fail.

         <p>The digest should be computed over the DER encoding of the trusted certificate using the

         SHA-256 digest algorithm.

         <p>If only a single signer is declared this can also be a string resource, or the digest

         can be declared inline as the value for this attribute.

         <p>If the attribute is declared both on the application and the activity level, the value

         on the activity level takes precedence. -->

    <attr name="knownActivityEmbeddingCerts" format="reference|string" />



    <!-- Indicate that the activity can be embedded by untrusted hosts. In this case the

         interactions and visibility of the embedded activity may be limited.

         <p>The default value of this attribute is <code>false</code>. -->

    <attr name="allowUntrustedActivityEmbedding" format="boolean" />



    <!-- Specifies whether this {@link android.app.Activity} should be shown on

         top of the lock screen whenever the lockscreen is up and this activity has another

         activity behind it with the {@link android.R.attr#showWhenLocked} attribute set. That
@@ -2011,6 +2029,7 @@ 
             when the application's user data is cleared. The default value is false.

        -->

        <attr name="resetEnabledSettingsOnAppDataCleared" format="boolean" />

        <attr name="knownActivityEmbeddingCerts" />

    </declare-styleable>



    <!-- An attribution is a logical part of an app and is identified by a tag.
@@ -3033,6 +3052,8 @@ 
        <!-- Indicates whether the activity can be displayed on a remote device which may or

             may not be running Android. -->

        <attr name="canDisplayOnRemoteDevices" format="boolean"/>

        <attr name="allowUntrustedActivityEmbedding" />

        <attr name="knownActivityEmbeddingCerts" />

    </declare-styleable>



    <!-- The <code>activity-alias</code> tag declares a new
@@ -3073,6 +3094,8 @@ 
        <attr name="exported" />

        <attr name="parentActivityName" />

        <attr name="attributionTags" />

        <attr name="allowUntrustedActivityEmbedding" />

        <attr name="knownActivityEmbeddingCerts" />

    </declare-styleable>



    <!-- The <code>meta-data</code> tag is used to attach additional