From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Nan Wu Date: Tue, 30 Apr 2024 17:20:29 +0000 Subject: [PATCH] RESTRICT AUTOMERGE Backport preventing BAL bypass via bound service Apply similar fix for WallpaperService to TextToSpeech Service, Job Service, Print Service, Sync Service and MediaRoute2Provider Service Bug: 232798473, 232798676, 336490997 Test: Manual test. BackgroundActivityLaunchTest (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8fdf4a345e140eba9b4e736d24ab95c67c55a247) Merged-In: Ib113e45aa18296b4475b90d6dcec5dd5664f4c80 Change-Id: Ib113e45aa18296b4475b90d6dcec5dd5664f4c80 --- .../service/java/com/android/server/job/JobServiceContext.java | 2 +- services/core/java/com/android/server/content/SyncManager.java | 3 ++- .../android/server/media/MediaRoute2ProviderServiceProxy.java | 3 ++- .../java/com/android/server/print/RemotePrintService.java | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/apex/jobscheduler/service/java/com/android/server/job/JobServiceContext.java b/apex/jobscheduler/service/java/com/android/server/job/JobServiceContext.java index 565ed959aeb4..51ffc7f9379c 100644 --- a/apex/jobscheduler/service/java/com/android/server/job/JobServiceContext.java +++ b/apex/jobscheduler/service/java/com/android/server/job/JobServiceContext.java @@ -252,7 +252,7 @@ public final class JobServiceContext implements ServiceConnection { try { binding = mContext.bindServiceAsUser(intent, this, Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND - | Context.BIND_NOT_PERCEPTIBLE, + | Context.BIND_NOT_PERCEPTIBLE | Context.BIND_DENY_ACTIVITY_STARTS, UserHandle.of(job.getUserId())); } catch (SecurityException e) { // Some permission policy, for example INTERACT_ACROSS_USERS and diff --git a/services/core/java/com/android/server/content/SyncManager.java b/services/core/java/com/android/server/content/SyncManager.java index ec12a971e445..7ce610426237 100644 --- a/services/core/java/com/android/server/content/SyncManager.java +++ b/services/core/java/com/android/server/content/SyncManager.java @@ -221,7 +221,8 @@ public class SyncManager { /** Flags used when connecting to a sync adapter service */ private static final int SYNC_ADAPTER_CONNECTION_FLAGS = Context.BIND_AUTO_CREATE - | Context.BIND_NOT_FOREGROUND | Context.BIND_ALLOW_OOM_MANAGEMENT; + | Context.BIND_NOT_FOREGROUND | Context.BIND_ALLOW_OOM_MANAGEMENT + | Context.BIND_DENY_ACTIVITY_STARTS; /** Singleton instance. */ @GuardedBy("SyncManager.class") diff --git a/services/core/java/com/android/server/media/MediaRoute2ProviderServiceProxy.java b/services/core/java/com/android/server/media/MediaRoute2ProviderServiceProxy.java index ab38dca2387d..66502179ba89 100644 --- a/services/core/java/com/android/server/media/MediaRoute2ProviderServiceProxy.java +++ b/services/core/java/com/android/server/media/MediaRoute2ProviderServiceProxy.java @@ -224,7 +224,8 @@ final class MediaRoute2ProviderServiceProxy extends MediaRoute2Provider service.setComponent(mComponentName); try { mBound = mContext.bindServiceAsUser(service, this, - Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE, + Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE + | Context.BIND_DENY_ACTIVITY_STARTS, new UserHandle(mUserId)); if (!mBound && DEBUG) { Slog.d(TAG, this + ": Bind failed"); diff --git a/services/print/java/com/android/server/print/RemotePrintService.java b/services/print/java/com/android/server/print/RemotePrintService.java index 502cd2c60f4a..702ddbb9f912 100644 --- a/services/print/java/com/android/server/print/RemotePrintService.java +++ b/services/print/java/com/android/server/print/RemotePrintService.java @@ -572,7 +572,8 @@ final class RemotePrintService implements DeathRecipient { boolean wasBound = mContext.bindServiceAsUser(mIntent, mServiceConnection, Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE - | Context.BIND_INCLUDE_CAPABILITIES | Context.BIND_ALLOW_INSTANT, + | Context.BIND_INCLUDE_CAPABILITIES | Context.BIND_ALLOW_INSTANT + | Context.BIND_DENY_ACTIVITY_STARTS, new UserHandle(mUserId)); if (!wasBound) {