From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jeff Chang Date: Wed, 29 Sep 2021 16:49:00 +0800 Subject: [PATCH] Only allow system and same app to apply relinquishTaskIdentity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Any malicious application could hijack tasks by android:relinquishTaskIdentity. This vulnerability can perform UI spoofing or spy on user’s activities. This CL limit the usage which only allow system and same app to apply relinquishTaskIdentity Bug: 185810717 Test: atest IntentTests atest ActivityStarterTests Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049 (cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec) Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049 --- .../com/android/server/am/TaskRecord.java | 51 ++++++++++++++----- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java index f83310954c3d..d44f4e3eacbb 100644 --- a/services/core/java/com/android/server/am/TaskRecord.java +++ b/services/core/java/com/android/server/am/TaskRecord.java @@ -40,6 +40,7 @@ import android.graphics.Point; import android.graphics.Rect; import android.os.Debug; import android.os.ParcelFileDescriptor; +import android.os.Process; import android.os.RemoteException; import android.os.Trace; import android.os.UserHandle; @@ -190,6 +191,11 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta // Do not move the stack as a part of reparenting public static final int REPARENT_LEAVE_STACK_IN_PLACE = 2; + /** + * Used to identify if the activity that is installed from device's system image. + */ + boolean mIsEffectivelySystemApp; + final int taskId; // Unique identifier for this task. String affinity; // The affinity name for this task, or null; may change identity. String rootAffinity; // Initial base affinity, or null; does not change from initial root. @@ -791,16 +797,24 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta /** Sets the original intent, and the calling uid and package. */ void setIntent(ActivityRecord r) { - mCallingUid = r.launchedFromUid; - mCallingPackage = r.launchedFromPackage; - setIntent(r.intent, r.info); + boolean updateIdentity = false; + if (this.intent == null) { + updateIdentity = true; + } else if (!mNeverRelinquishIdentity) { + updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp + || effectiveUid == r.info.applicationInfo.uid); + } + if (updateIdentity) { + mCallingUid = r.launchedFromUid; + mCallingPackage = r.launchedFromPackage; + setIntent(r.intent, r.info); + } } /** Sets the original intent, _without_ updating the calling uid or package. */ private void setIntent(Intent _intent, ActivityInfo info) { if (intent == null) { - mNeverRelinquishIdentity = - (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0; + mNeverRelinquishIdentity = (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0; } else if (mNeverRelinquishIdentity) { return; } @@ -813,6 +827,7 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta rootAffinity = affinity; } effectiveUid = info.applicationInfo.uid; + mIsEffectivelySystemApp = info.applicationInfo.isSystemApp(); stringName = null; if (info.targetActivity == null) { @@ -1648,12 +1663,12 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta // utility activities. int activityNdx; final int numActivities = mActivities.size(); - final boolean relinquish = numActivities != 0 && - (mActivities.get(0).info.flags & FLAG_RELINQUISH_TASK_IDENTITY) != 0; - for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities; - ++activityNdx) { + for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) { final ActivityRecord r = mActivities.get(activityNdx); - if (relinquish && (r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) { + if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0 + || (r.info.applicationInfo.uid != Process.SYSTEM_UID + && !r.info.applicationInfo.isSystemApp() + && r.info.applicationInfo.uid != effectiveUid)) { // This will be the top activity for determining taskDescription. Pre-inc to // overcome initial decrement below. ++activityNdx; @@ -1711,15 +1726,27 @@ final class TaskRecord extends ConfigurationContainer implements TaskWindowConta int findEffectiveRootIndex() { int effectiveNdx = 0; final int topActivityNdx = mActivities.size() - 1; + ActivityRecord root = null; for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) { final ActivityRecord r = mActivities.get(activityNdx); if (r.finishing) { continue; } - effectiveNdx = activityNdx; - if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) { + + if (root == null) { + // Set this as the candidate root since it isn't finishing. + root = r; + effectiveNdx = activityNdx; + } + final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid; + if ((root.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0 + || (root.info.applicationInfo.uid != Process.SYSTEM_UID + && !root.info.applicationInfo.isSystemApp() + && root.info.applicationInfo.uid != uid)) { break; } + effectiveNdx = activityNdx; + root = r; } return effectiveNdx; }