From ad02e59ac2cd3e6180e02fd60e6dedd8177c7b6e Mon Sep 17 00:00:00 2001
From: Varun Shah <varunshah@google.com>
Date: Fri, 26 Oct 2018 17:03:23 -0700
Subject: [PATCH] RESTRICT AUTOMERGE: Added an app id security check in
 isAppForeground.

ActivityManagerService#isAppForeground now checks if the caller has the
permission to view if an app is in the foreground.

Bug: 115384617
Test: cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.ActivityManagerTest#testIsAppInForegroundNormal
Test: cts-tradefed run cts -m CtsSecurityTestCases -t android.security.cts.ActivityManagerTest#testIsAppInForegroundMalicious
Change-Id: I9602c89b2d40036e525c38960a08326dc74c6682
---
 core/java/android/os/UserHandle.java                        | 13 +++++++++++++
 .../java/com/android/server/am/ActivityManagerService.java  |  8 ++++++++
 2 files changed, 21 insertions(+)

diff --git a/core/java/android/os/UserHandle.java b/core/java/android/os/UserHandle.java
index e8ebf6312cdd..f36cf1ca2bef 100644
--- a/core/java/android/os/UserHandle.java
+++ b/core/java/android/os/UserHandle.java
@@ -132,6 +132,19 @@ public final class UserHandle implements Parcelable {
     }
 
     /**
+     * Whether a UID belongs to a system core component or not.
+     * @hide
+     */
+    public static boolean isCore(int uid) {
+        if (uid >= 0) {
+            final int appId = getAppId(uid);
+            return appId < Process.FIRST_APPLICATION_UID;
+        } else {
+            return false;
+        }
+    }
+
+    /**
      * Returns the user for a given uid.
      * @param uid A uid for an application running in a particular user.
      * @return A {@link UserHandle} for that user.
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index c4a968e4d86c..a89015b7ac99 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -7846,6 +7846,14 @@ public class ActivityManagerService extends IActivityManager.Stub
 
     @Override
     public boolean isAppForeground(int uid) throws RemoteException {
+        int callerUid = Binder.getCallingUid();
+        if (UserHandle.isCore(callerUid) || callerUid == uid) {
+            return isAppForegroundInternal(uid);
+        }
+        return false;
+    }
+
+    private boolean isAppForegroundInternal(int uid) {
         synchronized (this) {
             UidRecord uidRec = mActiveUids.get(uid);
             if (uidRec == null || uidRec.idle) {
-- 
2.11.0