mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-07 21:57:58 -05:00
129 lines
5.6 KiB
Diff
129 lines
5.6 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|||
|
From: Jeff Chang <chengjeff@google.com>
|
|||
|
Date: Wed, 29 Sep 2021 16:49:00 +0800
|
|||
|
Subject: [PATCH] Only allow system and same app to apply
|
|||
|
relinquishTaskIdentity
|
|||
|
MIME-Version: 1.0
|
|||
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|||
|
Any malicious application could hijack tasks by
|
|||
|
android:relinquishTaskIdentity. This vulnerability can perform UI
|
|||
|
spoofing or spy on user’s activities.
|
|||
|
|
|||
|
This CL limit the usage which only allow system and same app to apply
|
|||
|
relinquishTaskIdentity
|
|||
|
|
|||
|
Bug: 185810717
|
|||
|
Test: atest IntentTests
|
|||
|
atest ActivityStarterTests
|
|||
|
Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
|
|||
|
(cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec)
|
|||
|
Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
|
|||
|
---
|
|||
|
.../com/android/server/am/TaskRecord.java | 48 +++++++++++++++----
|
|||
|
1 file changed, 38 insertions(+), 10 deletions(-)
|
|||
|
|
|||
|
diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java
|
|||
|
index 3f6db990a5b5..1e64d9f8a5b5 100644
|
|||
|
--- a/services/core/java/com/android/server/am/TaskRecord.java
|
|||
|
+++ b/services/core/java/com/android/server/am/TaskRecord.java
|
|||
|
@@ -38,6 +38,7 @@ import android.graphics.Point;
|
|||
|
import android.graphics.Rect;
|
|||
|
import android.os.Debug;
|
|||
|
import android.os.ParcelFileDescriptor;
|
|||
|
+import android.os.Process;
|
|||
|
import android.os.RemoteException;
|
|||
|
import android.os.UserHandle;
|
|||
|
import android.provider.Settings;
|
|||
|
@@ -138,6 +139,11 @@ final class TaskRecord {
|
|||
|
static final int INVALID_TASK_ID = -1;
|
|||
|
static final int INVALID_MIN_SIZE = -1;
|
|||
|
|
|||
|
+ /**
|
|||
|
+ * Used to identify if the activity that is installed from device's system image.
|
|||
|
+ */
|
|||
|
+ boolean mIsEffectivelySystemApp;
|
|||
|
+
|
|||
|
final int taskId; // Unique identifier for this task.
|
|||
|
String affinity; // The affinity name for this task, or null; may change identity.
|
|||
|
String rootAffinity; // Initial base affinity, or null; does not change from initial root.
|
|||
|
@@ -389,9 +395,18 @@ final class TaskRecord {
|
|||
|
|
|||
|
/** Sets the original intent, and the calling uid and package. */
|
|||
|
void setIntent(ActivityRecord r) {
|
|||
|
- mCallingUid = r.launchedFromUid;
|
|||
|
- mCallingPackage = r.launchedFromPackage;
|
|||
|
- setIntent(r.intent, r.info);
|
|||
|
+ boolean updateIdentity = false;
|
|||
|
+ if (this.intent == null) {
|
|||
|
+ updateIdentity = true;
|
|||
|
+ } else if (!mNeverRelinquishIdentity) {
|
|||
|
+ updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp
|
|||
|
+ || effectiveUid == r.info.applicationInfo.uid);
|
|||
|
+ }
|
|||
|
+ if (updateIdentity) {
|
|||
|
+ mCallingUid = r.launchedFromUid;
|
|||
|
+ mCallingPackage = r.launchedFromPackage;
|
|||
|
+ setIntent(r.intent, r.info);
|
|||
|
+ }
|
|||
|
}
|
|||
|
|
|||
|
/** Sets the original intent, _without_ updating the calling uid or package. */
|
|||
|
@@ -411,6 +426,7 @@ final class TaskRecord {
|
|||
|
rootAffinity = affinity;
|
|||
|
}
|
|||
|
effectiveUid = info.applicationInfo.uid;
|
|||
|
+ mIsEffectivelySystemApp = info.applicationInfo.isSystemApp();
|
|||
|
stringName = null;
|
|||
|
|
|||
|
if (info.targetActivity == null) {
|
|||
|
@@ -1055,12 +1071,12 @@ final class TaskRecord {
|
|||
|
// utility activities.
|
|||
|
int activityNdx;
|
|||
|
final int numActivities = mActivities.size();
|
|||
|
- final boolean relinquish = numActivities == 0 ? false :
|
|||
|
- (mActivities.get(0).info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) != 0;
|
|||
|
- for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities;
|
|||
|
- ++activityNdx) {
|
|||
|
+ for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) {
|
|||
|
final ActivityRecord r = mActivities.get(activityNdx);
|
|||
|
- if (relinquish && (r.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
|
|||
|
+ if ((r.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0
|
|||
|
+ || (r.info.applicationInfo.uid != Process.SYSTEM_UID
|
|||
|
+ && !r.info.applicationInfo.isSystemApp()
|
|||
|
+ && r.info.applicationInfo.uid != effectiveUid)) {
|
|||
|
// This will be the top activity for determining taskDescription. Pre-inc to
|
|||
|
// overcome initial decrement below.
|
|||
|
++activityNdx;
|
|||
|
@@ -1109,15 +1125,27 @@ final class TaskRecord {
|
|||
|
int findEffectiveRootIndex() {
|
|||
|
int effectiveNdx = 0;
|
|||
|
final int topActivityNdx = mActivities.size() - 1;
|
|||
|
+ ActivityRecord root = null;
|
|||
|
for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) {
|
|||
|
final ActivityRecord r = mActivities.get(activityNdx);
|
|||
|
if (r.finishing) {
|
|||
|
continue;
|
|||
|
}
|
|||
|
- effectiveNdx = activityNdx;
|
|||
|
- if ((r.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
|
|||
|
+
|
|||
|
+ if (root == null) {
|
|||
|
+ // Set this as the candidate root since it isn't finishing.
|
|||
|
+ root = r;
|
|||
|
+ effectiveNdx = activityNdx;
|
|||
|
+ }
|
|||
|
+ final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid;
|
|||
|
+ if ((root.info.flags & ActivityInfo.FLAG_RELINQUISH_TASK_IDENTITY) == 0
|
|||
|
+ || (root.info.applicationInfo.uid != Process.SYSTEM_UID
|
|||
|
+ && !root.info.applicationInfo.isSystemApp()
|
|||
|
+ && root.info.applicationInfo.uid != uid)) {
|
|||
|
break;
|
|||
|
}
|
|||
|
+ effectiveNdx = activityNdx;
|
|||
|
+ root = r;
|
|||
|
}
|
|||
|
return effectiveNdx;
|
|||
|
}
|