From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Edgar Wang Date: Wed, 6 Apr 2022 17:30:27 +0800 Subject: [PATCH] Fix LaunchAnyWhere in AppRestrictionsFragment If the intent's package equals to the app's package, this intent will be allowed to startActivityForResult. But this check is unsafe, because if the component of this intent is set, the package field will just be ignored. So if we set the component to any activity we like and set package to the app's package, it will pass the assertSafeToStartCustomActivity check and now we can launch anywhere. Bug: 223578534 Test: robotest and manual verify Change-Id: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4 (cherry picked from commit 90e095dbe372f29823ad4788c0cc2d781ae3bb24) (cherry picked from commit b3eecdd13d9f3d9fde99e9881c9e451ff199f7ad) Merged-In: I40496105bae313fe5cff2a36dfe329c1e2b5bbe4 --- src/com/android/settings/users/AppRestrictionsFragment.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/com/android/settings/users/AppRestrictionsFragment.java b/src/com/android/settings/users/AppRestrictionsFragment.java index 10d714401e..bf0f3da8d0 100644 --- a/src/com/android/settings/users/AppRestrictionsFragment.java +++ b/src/com/android/settings/users/AppRestrictionsFragment.java @@ -654,10 +654,7 @@ public class AppRestrictionsFragment extends SettingsPreferenceFragment implemen } private void assertSafeToStartCustomActivity(Intent intent) { - // Activity can be started if it belongs to the same app - if (intent.getPackage() != null && intent.getPackage().equals(packageName)) { - return; - } + EventLog.writeEvent(0x534e4554, "223578534", -1 /* UID */, ""); ResolveInfo resolveInfo = mPackageManager.resolveActivity( intent, PackageManager.MATCH_DEFAULT_ONLY);