From b255e64a5d282f860bd58ae8f85158b5badce7ba Mon Sep 17 00:00:00 2001 From: Bryan Ferris Date: Tue, 4 Jun 2019 18:02:55 -0700 Subject: [PATCH] [RESTRICT AUTOMERGE] Pass correct realCallingUid to startActivity() if provided by PendingIntentRecord#sendInner() Previously we'd ignore realCallingPid and realCallingUid that PendingIntentRecord#sendInner() provided to startActivityInPackage(). Now we correctly pass it on, preserving past behaviour if none provided. Test: manual; we added logging statements to check the value of realCallingUid in startActivitiesMayWait when launching the calendar app from the calendar widget and verified that it was the calendar uid rather than the system uid. Bug: 123013720 Change-Id: If0c0b67880c2e7a8774f31fbb1ba5f50544d2972 --- .../android/server/am/ActivityManagerService.java | 7 +++-- .../android/server/am/ActivityStartController.java | 28 +++++++++++++------ .../com/android/server/am/ActivityStarter.java | 32 ++++++++++++++-------- .../com/android/server/am/PendingIntentRecord.java | 4 +-- 4 files changed, 46 insertions(+), 25 deletions(-) diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java index 32cc605867ce..95c9e8db2a7b 100644 --- a/services/core/java/com/android/server/am/ActivityManagerService.java +++ b/services/core/java/com/android/server/am/ActivityManagerService.java @@ -5607,9 +5607,10 @@ public class ActivityManagerService extends IActivityManager.Stub userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(), userId, false, ALLOW_FULL_ONLY, reason, null); // TODO: Switch to user app stacks here. - int ret = mActivityStartController.startActivities(caller, -1, callingPackage, - intents, resolvedTypes, resultTo, SafeActivityOptions.fromBundle(bOptions), userId, - reason, null /* originatingPendingIntent */); + int ret = mActivityStartController.startActivities(caller, -1, 0, + UserHandle.USER_NULL, callingPackage, intents, resolvedTypes, resultTo, + SafeActivityOptions.fromBundle(bOptions), userId, reason, + null /* originatingPendingIntent */); return ret; } diff --git a/services/core/java/com/android/server/am/ActivityStartController.java b/services/core/java/com/android/server/am/ActivityStartController.java index edcf6e7bd516..c926503da27d 100644 --- a/services/core/java/com/android/server/am/ActivityStartController.java +++ b/services/core/java/com/android/server/am/ActivityStartController.java @@ -286,20 +286,29 @@ public class ActivityStartController { final int startActivitiesInPackage(int uid, String callingPackage, Intent[] intents, String[] resolvedTypes, IBinder resultTo, SafeActivityOptions options, int userId, boolean validateIncomingUser, PendingIntentRecord originatingPendingIntent) { + return startActivitiesInPackage(uid, 0, UserHandle.USER_NULL, + callingPackage, intents, resolvedTypes, resultTo, options, userId, + validateIncomingUser, originatingPendingIntent); + } + final int startActivitiesInPackage(int uid, int realCallingPid, int realCallingUid, + String callingPackage, Intent[] intents, String[] resolvedTypes, IBinder resultTo, + SafeActivityOptions options, int userId, boolean validateIncomingUser, + PendingIntentRecord originatingPendingIntent) { final String reason = "startActivityInPackage"; userId = checkTargetUser(userId, validateIncomingUser, Binder.getCallingPid(), Binder.getCallingUid(), reason); // TODO: Switch to user app stacks here. - return startActivities(null, uid, callingPackage, intents, resolvedTypes, resultTo, options, - userId, reason, originatingPendingIntent); + return startActivities(null, uid, realCallingPid, realCallingUid, callingPackage, intents, + resolvedTypes, resultTo, options, userId, reason, originatingPendingIntent); } - int startActivities(IApplicationThread caller, int callingUid, String callingPackage, - Intent[] intents, String[] resolvedTypes, IBinder resultTo, SafeActivityOptions options, - int userId, String reason, PendingIntentRecord originatingPendingIntent) { + int startActivities(IApplicationThread caller, int callingUid, int incomingRealCallingPid, + int incomingRealCallingUid, String callingPackage, Intent[] intents, String[] resolvedTypes, + IBinder resultTo, SafeActivityOptions options, int userId, String reason, + PendingIntentRecord originatingPendingIntent) { if (intents == null) { throw new NullPointerException("intents is null"); } @@ -310,9 +319,12 @@ public class ActivityStartController { throw new IllegalArgumentException("intents are length different than resolvedTypes"); } - final int realCallingPid = Binder.getCallingPid(); - final int realCallingUid = Binder.getCallingUid(); - + final int realCallingPid = incomingRealCallingPid != 0 + ? incomingRealCallingPid + : Binder.getCallingPid(); + final int realCallingUid = incomingRealCallingUid != UserHandle.USER_NULL + ? incomingRealCallingUid + : Binder.getCallingUid(); int callingPid; if (callingUid >= 0) { callingPid = -1; diff --git a/services/core/java/com/android/server/am/ActivityStarter.java b/services/core/java/com/android/server/am/ActivityStarter.java index a739af91318a..0be27d197ab0 100644 --- a/services/core/java/com/android/server/am/ActivityStarter.java +++ b/services/core/java/com/android/server/am/ActivityStarter.java @@ -282,6 +282,8 @@ class ActivityStarter { * execution. */ private static class Request { + static final int DEFAULT_REAL_CALLING_PID = 0; + static final int DEFAULT_REAL_CALLING_UID = UserHandle.USER_NULL; private static final int DEFAULT_CALLING_UID = -1; private static final int DEFAULT_CALLING_PID = 0; @@ -296,11 +298,11 @@ class ActivityStarter { IBinder resultTo; String resultWho; int requestCode; - int callingPid = DEFAULT_CALLING_UID; - int callingUid = DEFAULT_CALLING_PID; + int callingPid = DEFAULT_CALLING_PID; + int callingUid = DEFAULT_CALLING_UID; String callingPackage; - int realCallingPid; - int realCallingUid; + int realCallingPid = Request.DEFAULT_REAL_CALLING_PID; + int realCallingUid = Request.DEFAULT_REAL_CALLING_UID; int startFlags; SafeActivityOptions activityOptions; boolean ignoreTargetSecurity; @@ -354,8 +356,8 @@ class ActivityStarter { callingPid = DEFAULT_CALLING_PID; callingUid = DEFAULT_CALLING_UID; callingPackage = null; - realCallingPid = 0; - realCallingUid = 0; + realCallingPid = Request.DEFAULT_REAL_CALLING_PID; + realCallingUid = Request.DEFAULT_REAL_CALLING_UID; startFlags = 0; activityOptions = null; ignoreTargetSecurity = false; @@ -370,7 +372,7 @@ class ActivityStarter { mayWait = false; avoidMoveToFront = false; allowPendingRemoteAnimationRegistryLookup = true; - filterCallingUid = UserHandle.USER_NULL; + filterCallingUid = DEFAULT_REAL_CALLING_UID; originatingPendingIntent = null; } @@ -488,7 +490,8 @@ class ActivityStarter { // for transactional diffs and preprocessing. if (mRequest.mayWait) { return startActivityMayWait(mRequest.caller, mRequest.callingUid, - mRequest.callingPackage, mRequest.intent, mRequest.resolvedType, + mRequest.callingPackage, mRequest.realCallingPid, mRequest.realCallingUid, + mRequest.intent, mRequest.resolvedType, mRequest.voiceSession, mRequest.voiceInteractor, mRequest.resultTo, mRequest.resultWho, mRequest.requestCode, mRequest.startFlags, mRequest.profilerInfo, mRequest.waitResult, mRequest.globalConfig, @@ -999,7 +1002,8 @@ class ActivityStarter { } private int startActivityMayWait(IApplicationThread caller, int callingUid, - String callingPackage, Intent intent, String resolvedType, + String callingPackage, int requestRealCallingPid, int requestRealCallingUid, + Intent intent, String resolvedType, IVoiceInteractionSession voiceSession, IVoiceInteractor voiceInteractor, IBinder resultTo, String resultWho, int requestCode, int startFlags, ProfilerInfo profilerInfo, WaitResult outResult, @@ -1014,8 +1018,12 @@ class ActivityStarter { mSupervisor.getActivityMetricsLogger().notifyActivityLaunching(); boolean componentSpecified = intent.getComponent() != null; - final int realCallingPid = Binder.getCallingPid(); - final int realCallingUid = Binder.getCallingUid(); + final int realCallingPid = requestRealCallingPid != Request.DEFAULT_REAL_CALLING_PID + ? requestRealCallingPid + : Binder.getCallingPid(); + final int realCallingUid = requestRealCallingUid != Request.DEFAULT_REAL_CALLING_UID + ? requestRealCallingUid + : Binder.getCallingUid(); int callingPid; if (callingUid >= 0) { @@ -1242,7 +1250,7 @@ class ActivityStarter { */ static int computeResolveFilterUid(int customCallingUid, int actualCallingUid, int filterCallingUid) { - return filterCallingUid != UserHandle.USER_NULL + return filterCallingUid != Request.DEFAULT_REAL_CALLING_UID ? filterCallingUid : (customCallingUid >= 0 ? customCallingUid : actualCallingUid); } diff --git a/services/core/java/com/android/server/am/PendingIntentRecord.java b/services/core/java/com/android/server/am/PendingIntentRecord.java index 4e00304a9da6..81efbf385650 100644 --- a/services/core/java/com/android/server/am/PendingIntentRecord.java +++ b/services/core/java/com/android/server/am/PendingIntentRecord.java @@ -344,8 +344,8 @@ final class PendingIntentRecord extends IIntentSender.Stub { allResolvedTypes[allResolvedTypes.length-1] = resolvedType; res = owner.getActivityStartController().startActivitiesInPackage( - uid, key.packageName, allIntents, allResolvedTypes, - resultTo, mergedOptions, userId, + uid, callingPid, callingUid, key.packageName, allIntents, + allResolvedTypes, resultTo, mergedOptions, userId, false /* validateIncomingUser */, this /* originatingPendingIntent */); } else { -- 2.11.0