Add calling package verification for ATM binder calls

        final PackageInfo packageInfo;

        try {

            packageInfo = mService.mContext.getPackageManager()

                    .getPackageInfo(callingPackage, PackageManager.GET_PERMISSIONS);

                    .getPackageInfoAsUser(callingPackage, PackageManager.GET_PERMISSIONS,

                            UserHandle.getUserId(callingUid));

        } catch (PackageManager.NameNotFoundException e) {

            Slog.i(TAG, "Cannot find package info for " + callingPackage);

            return ACTIVITY_RESTRICTION_NONE;

    public final int startActivities(IApplicationThread caller, String callingPackage,

            Intent[] intents, String[] resolvedTypes, IBinder resultTo, Bundle bOptions,

            int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        final String reason = "startActivities";

        enforceNotIsolatedCaller(reason);

        userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId, reason);

                true /*validateIncomingUser*/);

    }

    int startActivityAsUser(IApplicationThread caller, String callingPackage,

    private int startActivityAsUser(IApplicationThread caller, String callingPackage,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, int userId,

            boolean validateIncomingUser) {

        assertPackageMatchesCallingUid(callingPackage);

        enforceNotIsolatedCaller("startActivityAsUser");

        userId = getActivityStartController().checkTargetUser(userId, validateIncomingUser,

    public final WaitResult startActivityAndWait(IApplicationThread caller, String callingPackage,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, ProfilerInfo profilerInfo, Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        final WaitResult res = new WaitResult();

        enforceNotIsolatedCaller("startActivityAndWait");

        userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),

    public final int startActivityWithConfig(IApplicationThread caller, String callingPackage,

            Intent intent, String resolvedType, IBinder resultTo, String resultWho, int requestCode,

            int startFlags, Configuration config, Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        enforceNotIsolatedCaller("startActivityWithConfig");

        userId = handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId,

                "startActivityWithConfig");

            Intent intent, String resolvedType, IVoiceInteractionSession session,

            IVoiceInteractor interactor, int startFlags, ProfilerInfo profilerInfo,

            Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        mAmInternal.enforceCallingPermission(BIND_VOICE_INTERACTION, "startVoiceActivity()");

        if (session == null || interactor == null) {

            throw new NullPointerException("null session or interactor");

    @Override

    public int startAssistantActivity(String callingPackage, int callingPid, int callingUid,

            Intent intent, String resolvedType, Bundle bOptions, int userId) {

        assertPackageMatchesCallingUid(callingPackage);

        mAmInternal.enforceCallingPermission(BIND_VOICE_INTERACTION, "startAssistantActivity()");

        userId = handleIncomingUser(callingPid, callingUid, userId, "startAssistantActivity");

    void moveTaskToFrontLocked(@Nullable IApplicationThread appThread,

            @Nullable String callingPackage, int taskId, int flags, SafeActivityOptions options,

            boolean fromRecents) {

        final int callingPid = Binder.getCallingPid();

        final int callingUid = Binder.getCallingUid();

        if (!isSameApp(callingUid, callingPackage)) {

            String msg = "Permission Denial: moveTaskToFrontLocked() from pid="

                    + Binder.getCallingPid() + " as package " + callingPackage;

            Slog.w(TAG, msg);

            throw new SecurityException(msg);

        }

        assertPackageMatchesCallingUid(callingPackage);

        if (!checkAppSwitchAllowedLocked(callingPid, callingUid, -1, -1, "Task to front")) {

            SafeActivityOptions.abort(options);

            return;

    /**

     * Return true if callingUid is system, or packageName belongs to that callingUid.

     */

    boolean isSameApp(int callingUid, @Nullable String packageName) {

    private boolean isSameApp(int callingUid, @Nullable String packageName) {

        try {

            if (callingUid != 0 && callingUid != SYSTEM_UID) {

                if (packageName == null) {

        return true;

    }

    /**

     * Checks that the provided package name matches the current calling UID, throws a security

     * exception if it doesn't.

     */

    void assertPackageMatchesCallingUid(@Nullable String packageName) {

        final int callingUid = Binder.getCallingUid();

        if (isSameApp(callingUid, packageName)) {

            return;

        }

        final String msg = "Permission Denial: package=" + packageName

                + " does not belong to uid=" + callingUid;

        Slog.w(TAG, msg);

        throw new SecurityException(msg);

    }

    boolean checkAppSwitchAllowedLocked(int sourcePid, int sourceUid,

            int callingPid, int callingUid, String name) {

        if (mAppSwitchesAllowedTime < SystemClock.uptimeMillis()) {

    @Override

    public List<IBinder> getAppTasks(String callingPackage) {

        int callingUid = Binder.getCallingUid();

        assertPackageMatchesCallingUid(callingPackage);

        long ident = Binder.clearCallingIdentity();

        try {

            synchronized (mGlobalLock) {

                SafeActivityOptions options, int userId, boolean validateIncomingUser,

                PendingIntentRecord originatingPendingIntent,

                boolean allowBackgroundActivityStart) {

            assertPackageMatchesCallingUid(callingPackage);

            synchronized (mGlobalLock) {

                return getActivityStartController().startActivitiesInPackage(uid, realCallingPid,

                        realCallingUid, callingPackage, intents, resolvedTypes, resultTo, options,

                int userId, Task inTask, String reason, boolean validateIncomingUser,

                PendingIntentRecord originatingPendingIntent,

                boolean allowBackgroundActivityStart) {

            assertPackageMatchesCallingUid(callingPackage);

            synchronized (mGlobalLock) {

                return getActivityStartController().startActivityInPackage(uid, realCallingPid,

                        realCallingUid, callingPackage, intent, resolvedType, resultTo, resultWho,

import android.os.Bundle;

import android.os.IBinder;

import android.os.UserHandle;

import android.util.Slog;

/**

 * An implementation of IAppTask, that allows an app to manage its own tasks via

        // Will bring task to front if it already has a root activity.

        final int callingPid = Binder.getCallingPid();

        final int callingUid = Binder.getCallingUid();

        if (!mService.isSameApp(callingUid, callingPackage)) {

            String msg = "Permission Denial: moveToFront() from pid="

                    + Binder.getCallingPid() + " as package " + callingPackage;

            Slog.w(TAG, msg);

            throw new SecurityException(msg);

        }

        mService.assertPackageMatchesCallingUid(callingPackage);

        final long origId = Binder.clearCallingIdentity();

        try {

            synchronized (mService.mGlobalLock) {

    public int startActivity(IBinder whoThread, String callingPackage,

            Intent intent, String resolvedType, Bundle bOptions) {

        checkCaller();

        mService.assertPackageMatchesCallingUid(callingPackage);

        int callingUser = UserHandle.getCallingUserId();

        Task task;