Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit efe9b964 authored by Achim Thesmann's avatar Achim Thesmann
Browse files

Use real caller UID to determine if BAL privileges may be granted 

Instead of the calling UID (the process that wrapped the broadcast in a `PendingIntent`) use the real calling UID (the process that actually sent the `PendingIntent`) to determine if granting BAL (background activity launch) privileges.

The reasoning is that the real caller is also the one used in `PendingIntentRecord` to determine if the process is visible and the goal from a security perspective is that a process cannot grant a BAL token to itself.

Tests already exist in `BackgroundActivityLaunchTest` when the `balCheckBroadcastWhenDispatched` flag is enabled.

Test: atest BackgroundActivityLaunchTest
Flag: EXEMPT bugfix
Bug: 421197489
Bug: 422788436
Change-Id: I659d2fade206ea8435558f6cb3c626a932e76679
parent 4bbab50b

services/core/java/com/android/server/am/BroadcastController.java

+8 −6
Original line number Diff line number Diff line
@@ -614,11 +614,13 @@ class BroadcastController { 
                        sticky = broadcast.intent;

                    }

                    BroadcastQueue queue = mBroadcastQueue;

                    BroadcastRecord r = new BroadcastRecord(queue, broadcast.intent, null,

                            null, null, -1, -1, false, null, null, null, null, OP_NONE,

                    BroadcastRecord r = new BroadcastRecord(queue, broadcast.intent, null, null,

                            null, -1  /*callingPid*/, -1 /*callingUid*/, false, null, null, null,

                            null, OP_NONE,

                            BroadcastOptions.makeWithDeferUntilActive(broadcast.deferUntilActive),

                            receivers, null, null, 0, null, null, false, true, true, -1,

                            originalStickyCallingUid, BackgroundStartPrivileges.NONE,

                            receivers, null, null, 0, null, null, false, true, true, -1 /*userId*/,

                            originalStickyCallingUid, -1 /*realCallingPid*/,

                            BackgroundStartPrivileges.NONE,

                            false /* only PRE_BOOT_COMPLETED should be exempt, no stickies */,

                            null /* filterExtrasForReceiver */,

                            broadcast.originalCallingAppProcessState, mService.mPlatformCompat);
@@ -1665,8 +1667,8 @@ class BroadcastController { 
            BroadcastRecord r = new BroadcastRecord(queue, intent, callerApp, callerPackage,

                    callerFeatureId, callingPid, callingUid, callerInstantApp, resolvedType,

                    requiredPermissions, excludedPermissions, excludedPackages, appOp, brOptions,

                    receivers, resultToApp, resultTo, resultCode, resultData, resultExtras,

                    ordered, sticky, false, userId,

                    receivers, resultToApp, resultTo, resultCode, resultData, resultExtras, ordered,

                    sticky, false, userId, -1 /* originalStickyCallingUid */, realCallingUid,

                    backgroundStartPrivileges, timeoutExempt, filterExtrasForReceiver,

                    callerAppProcessState, mService.mPlatformCompat);

            broadcastSentEventRecord.setBroadcastRecord(r);

services/core/java/com/android/server/am/BroadcastQueueImpl.java

+1 −1
Original line number Diff line number Diff line
@@ -1151,7 +1151,7 @@ class BroadcastQueueImpl extends BroadcastQueue { 
        }



        if (r.mBackgroundStartPrivileges.allowsAny()

                && (r.callingUid != app.uid || !balCheckBroadcastWhenDispatched())) {

                && (r.realCallingUid != app.uid || !balCheckBroadcastWhenDispatched())) {

            // allow the broadcast receiver potential privileges if it is not sent to itself

            app.addOrUpdateBackgroundStartPrivileges(r, r.mBackgroundStartPrivileges);

services/core/java/com/android/server/am/BroadcastRecord.java

+7 −3
Original line number Diff line number Diff line
@@ -99,6 +99,7 @@ final class BroadcastRecord extends Binder { 


    final int originalStickyCallingUid;

            // if this is a sticky broadcast, the Uid of the original sender

    final int realCallingUid; // the UID of the actual process triggering the broadcast

    final boolean callerInstantApp; // caller is an Instant App?

    final boolean callerInstrumented; // caller is being instrumented?

    final boolean ordered;  // serialize the send to receivers?
@@ -296,6 +297,7 @@ final class BroadcastRecord extends Binder { 
                pw.print(callerApp != null ? callerApp.toShortString() : "null");

                pw.print(" pid="); pw.print(callingPid);

                pw.print(" uid="); pw.println(callingUid);

                pw.print(" realCallingUid="); pw.println(realCallingUid);

        if ((requiredPermissions != null && requiredPermissions.length > 0)

                || appOp != AppOpsManager.OP_NONE) {

            pw.print(prefix); pw.print("requiredPermissions=");
@@ -439,8 +441,8 @@ final class BroadcastRecord extends Binder { 
                callingUid, callerInstantApp, resolvedType, requiredPermissions,

                excludedPermissions, excludedPackages, appOp, options, receivers, resultToApp,

                resultTo, resultCode, resultData, resultExtras, serialized, sticky,

                initialSticky, userId, -1, backgroundStartPrivileges, timeoutExempt,

                filterExtrasForReceiver, callerAppProcessState, platformCompat);

                initialSticky, userId, -1, -1, backgroundStartPrivileges,

                timeoutExempt, filterExtrasForReceiver, callerAppProcessState, platformCompat);

    }



    BroadcastRecord(BroadcastQueue _queue,
@@ -452,7 +454,7 @@ final class BroadcastRecord extends Binder { 
            BroadcastOptions _options, List _receivers,

            ProcessRecord _resultToApp, IIntentReceiver _resultTo, int _resultCode,

            String _resultData, Bundle _resultExtras, boolean _serialized, boolean _sticky,

            boolean _initialSticky, int _userId, int originalStickyCallingUid,

            boolean _initialSticky, int _userId, int originalStickyCallingUid, int realCallingUid,

            @NonNull BackgroundStartPrivileges backgroundStartPrivileges,

            boolean timeoutExempt,

            @Nullable BiFunction<Integer, Bundle, Bundle> filterExtrasForReceiver,
@@ -508,6 +510,7 @@ final class BroadcastRecord extends Binder { 
        shareIdentity = options != null && options.isShareIdentityEnabled();

        this.filterExtrasForReceiver = filterExtrasForReceiver;

        this.originalStickyCallingUid = originalStickyCallingUid;

        this.realCallingUid = realCallingUid;

    }



    /**
@@ -574,6 +577,7 @@ final class BroadcastRecord extends Binder { 
        urgent = from.urgent;

        filterExtrasForReceiver = from.filterExtrasForReceiver;

        originalStickyCallingUid = from.originalStickyCallingUid;

        realCallingUid = from.realCallingUid;

    }



    /**